A DETAILED FORENSIC ANALYSIS AND RECOMMENDATIONS FOR RHODE ISLAND S PRESENT AND FUTURE VOTING SYSTEMS SUZANNE IRENE MELLO

Transcription

1 A DETAILED FORENSIC ANALYSIS AND RECOMMENDATIONS FOR RHODE ISLAND S PRESENT AND FUTURE VOTING SYSTEMS BY SUZANNE IRENE MELLO A DISSERTATION SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY IN COMPUTER SCIENCE UNIVERSITY OF RHODE ISLAND 2011

2 DOCTOR OF PHILOSOPHY DISSERTATION OF SUZANNE IRENE MELLO APPROVED: Dissertation Committee: Major Professor Edmund Lamagna Vic Fay-Wolfe Joan Peckham Yan Sun Nasser H. Zawia DEAN OF THE GRADUATE SCHOOL UNIVERSITY OF RHODE ISLAND 2011

3 ABSTRACT In 1997 Rhode Island moved from the mechanical lever machine to a more technically advanced optical scan precinct count voting system. In 2006 after several close races, Rhode Island s Supreme Court ruled that Rhode Island elections rely too heavily on voting technology. It is no secret that concerns about election systems are on the rise around the country. Each election, voters rely on machines from proprietary vendors to carry out democracy and officials worry about Another Florida. We cast our vote and walk away with no evidence that our vote has become part of the official tally. In the event of an election failure, the only extant recourse is a total recount of paper ballots if they exist. Recounts are not only discouraged but by law are only conducted in a race with a very slim margin. This dissertation represents the first technical initiative to address Rhode Island s need for further technical understanding of the voting equipment in which we entrust our elections. We seek to increase the awareness of forensic techniques within our election technology community and to show how their inclusion in the election process can improve voter confidence as well as security and reliability. This work reviews and critiques the emerging election technology in the forefront today and analyzes its ability to work here in Rhode Island. We provide an analysis of our current system and offer technical advice on the future technologies we may consider. We introduce a new election algorithm, the WAVERI algorithm (Watch, Audit, Verify Elections for Rhode Island). Using set theory and forensic techniques, we prove it is possible to add an audit trail to our current system with little impact to the way our citizens vote. Working closely with the Rhode Island Board of Elections, we borrowed two election machines to hold a mock election. We then compared that election to an election on the WAVERI prototype to show how an

4 audit trail can be realized. Finally, a new metric, the Election Forensic Metric, is introduced to measure how well an election process protects itself and allows for comprehensive audits pre- and post-election.

5 ACKNOWLEDGMENTS I would like to thank Professor Edmund Lamagna for his willingness to spend long hours discussing election technology. I would also like to thank him for his outstanding suggestions throughout the process. I look forward to further collaboration. My committee members were extremely supportive. Professor Vic Fay-Wolfe encouraged me to study digital forensics. Professor Joan Peckham has been a long time mentor and friend to me. I appreciate the helpful comments from Professor Gerald Baudet, Professor Mark Comerford and Professor Yan Sun. I am grateful to the Board of Elections for lending the election machines to me for the project. I would especially like to thank Robert Rapoza, Director of Elections, for being so kind to answer all my questions and Joe Vitale, Project Manager from ES&S, for sitting down with me and reviewing the Unity software. A special thank you to my colleagues and friends from CCRI. Everyone knew that I was extremely busy these last few terms and they helped me lighten the load. Mike Kelly, Chair of Computer Studies, was especially supportive. Thank you Karen Allen, Tony Basilico, Maggie Burke, Debbie Grande, Kay Johnson, Don Paquet, Donna Scattone and Sandy Sneesby. I would like to thank Lorraine Berube. She goes the extra mile for her CSC students and we know it. I would like to thank my family, Bill, Ezra and Zoe, for letting me spend countless hours on the computer. I know they are used to that, but it has been extra crazy these last few months. Thank you Mom and Dad for providing me with the foundation that allowed me to take on such a project. I will always be grateful for that. Thank you to my brother Matthew Mello for all the help and support throughout the years. iv

6 Finally, I am extremely grateful for the love and support of my husband Bill who read this entire document several times without complaint. His suggestions were invaluable to me. v

7 DEDICATION For my late sister Jeannine Mello vi

8 TABLE OF CONTENTS ABSTRACT ii ACKNOWLEDGMENTS iv DEDICATION vi TABLE OF CONTENTS vii LIST OF TABLES LIST OF FIGURES xii xiv CHAPTER 1 Introduction Help America Vote Act of Voluntary Voting System Guidelines Concerns about Election Technologies Software Independence Proprietary Software and Hardware Chain of Custody Universal and End-to-End (E2E) Verification History of Voting in Rhode Island Current RI Election Law List of References Rhode Island s Election Process and Voting System OpTech III-P Eagle Precinct Counting System vii

9 Page 2.2 Ballot Layout Voter Experience on Election Day Pre-Election Set-up Chain of Custody Audit Capability Critique List of References Existing Technologies Roles Fundamentals Mix Networks Public Key Encryption Cryptographic Hash Functions Cryptographic Commitment Schemes Trusted Workstation Aperio Ballot Layout Voter Experience on Election Day Back End Process Audit Capability Critique Scantegrity II Ballot Layout viii

10 Page Voter Experience on Election Day Back End Process Audit Capability Critique Helios Ballot Layout Voter Experience on Election Day Back End Process Audit Capability Critique Prêt à Voter Ballot Layout Voter Experience on Election Day Back End Process Audit Capability Critique Other Related Work List of References The WAVERI Election Algorithm Goals Algorithm Overview Ballot Layout Voter Experience on Election Day ix

11 Page 4.5 Back End Process Pre-Election Setup Election Day Initial Process Election Day Voting Process Post-Election Process RI Founder Election Post-Election Example Audit Capability Receipt Audit Tally Audit Randomized Partial Checking Audit Complete Set Audit Critique Cryptographic Scheme Addition System Crash List of References Findings and Testing The WAVERI Prototype Set up New Election for Precinct Calculate Live Election Calculate Election from Stored Ballots Conduct Post Election Audit from Stored Ballots Mock Election Mock Election Set-Up x

12 Page Mock Election Results Mock Election Audit - Recounts Mock Election Audit - WAVERI Mock Election Conclusion The Election Forensic Metric Forensic Metric Goals Election Forensic Metric Definition Election Forensic Metric Definition Process Forensic Metric Target Audience Collecting and Reporting Mechanisms Metric Findings Future Work List of References Recommendations List of References BIBLIOGRAPHY xi

13 LIST OF TABLES Table Page 1 Audit Results - Tally Audit Audit Results - Complete Set Audit Audit Results - RPC Audit Mock Election Results - President/Vice President and US Senator 96 5 Mock Election Results - State Senator and Member of State Legislature Mock Election Results - Director of Entertainment Mock Election Results - Referendum Questions Mock Election Audit Data Mock Election Tally Audit - President/Vice President and US Senator Mock Election Tally Audit - State Senator and Member of State Legislature Mock Election Tally Audit - Director of Entertainment and Referendum Questions Mock Election Complete Set Audit Forensic Metric Components Forensic Election Metric - Degree of Openness Forensic Election Metric - Software Chain of Custody Forensic Election Metric - Hardware Chain of Custody Forensic Election Metric - Ballot Chain of Custody Forensic Election Metric - Audit Capability Calculation of Forensic Metric - RI Election Process xii

14 Table Page 20 Forensic Election Metric Findings - Degree of Openness Forensic Election Metric Findings - Software Chain of Custody Forensic Election Metric Findings - Hardware Chain of Custody Forensic Election Metric Findings - Ballot Chain of Custody Forensic Election Metric Findings - Audit Capability Forensic Election Metric Findings - Error Detection Capability. 125 xiii

15 LIST OF FIGURES Figure Page 1 Liberty, Property, & No Stamps - A proxy ticket from 1766, Schofield Collection [19] OpTech III-P Eagle (Front) OpTech III-P Eagle (Side) OpTech III-P Eagle (back) OpTech III-P Eagle (keys) An example of a Rhode Island ballot from November 2, 2010 election (front side) An example of a Rhode Island ballot from November 2, 2010 election (back side) An example of an Aperio ballot from Aperio: High Integrity Elections for Developing Countries [25] An example of a Scantegrity II ballot as depicted in Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes [32] An example of a set of Scantegrity commitment tables from Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes [32] An example of a set of Scantegrity commitment tables postelection Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes [32] An example of a Helios ballot from Electing a University President using Open-Audit Voting: Analysis of real-world use of Helios [7] An example of a Prêt à Voter ballot from WAVERI RI Founder Election Ballot xiv

16 Figure Page 15 Example of three WAVERI RI Founder Election receipts Venn diagram of audit code set S with disjoint candidate subsets WAVERI RI Founder Election Cast Ballots Venn diagram of audit code set S after vote RI Founder Election Results Website Z = S U WAVERI Prototype Menu Screen WAVERI Option 1 - Set up New Election for Precinct WAVERI Stored Audit Data WAVERI Option 4 - Calculate a Live Election WAVERI Live Election Results WAVERI Option 3 - Conduct Post Election Audit WAVERI Post Election Audit Data Demo Ballot Example (front) Demo Ballot Example (back) xv

17 CHAPTER 1 Introduction In accordance with Rhode Island law governing the conduct of elections (Title 17, Chapter 17-19, Section ), all precincts moved from mechanical lever machines to optical scan precinct count voting systems in 1997 [1]. This new system went unchallenged until the 2006 election when candidates in very close races asked for a paper ballot recount. They wanted to compare the electronic scanner results to a paper by-hand recount. The candidates had many questions about the new election system and felt too much trust and authority had been placed in the scanners. It was the state Board of Election s opinion that a manual review of paper ballots would undermine the new system and therefore the board would not allow the paper ballot count. In early December 2006, Superior Court Associate, Judge Stephen J. Fortunato Jr. agreed with the candidates that the state Board of Elections relied too heavily on the optical scanners. A few days later, this decision was upheld by the RI Supreme Court [2]. The use of voting technology is increasing across the country. This trend is fueled mostly by the events surrounding the 2000 presidential election when for the first time since 1897, the US Supreme Court needed to be called in to settle the election. In reaction to this debacle, The Help America Vote Act (HAVA) of 2002 was established which created a federal overseeing body, The Election Assistance Commission (EAC), to administer the election process [3]. HAVA mandates that states take a closer look at their voting procedures which includes everything from the voting equipment to training the workers at the polls. The optical scanners that we currently use in all 39 cities and towns are based on 20 year old technology. The Board of Elections has requested funding to upgrade 1

18 these systems and would like to have replacements in place by the 2012 election. Newer technology makes room for improvements, but it also opens the door to further possible error scenarios such as security breaches, programming errors or hardware problems. Poll workers will also need to be retrained, which could lead to increased human error. Since it is the opinion of the RI Supreme Court that we ceded too much authority on the optical scanners today, and our dependence on voting technology in RI will only increase with more technically advanced systems, it follows that the state should start a serious technical initiative to ensure our elections remain fair and without controversy as we continue to advance technology in Rhode Island s future elections. This study is the first election technology project of its kind in Rhode Island. To the best of our knowledge, there are no computer scientists from Rhode Island universities, colleges, or corporations that have embarked on research in this area. No forensic or in-depth technical analysis of our election process has been completed. This work describes and tests a comprehensive election audit process that will benefit Rhode Island. The demand for election auditing is increasing and this project gives Rhode Island a head start. For example, consider the Voter Confidence and Increased Accessibility Act of This bill was first proposed in the House of Representatives sponsored by New Jersey Representative Rush Holt and recently reintroduced in 2009 for the 111th Congress. If this bill is passed, Rhode Island may be asked to perform analyses on the technology, disclose reports and analyses that describe operational issues pertaining to the technology (including vulnerabilities to tampering, errors, risks associated with use, failures as a result of use, and other problems), and describe or explain why or how a voting 2

19 system failed or otherwise did not perform as intended [4]. This dissertation helps Rhode Island to satisfy the requirements of this bill and could put the state in a position to lead the nation. The Voter Confidence bill is supported by many computer scientists who recognize the need to have an independent means to verify elections. In fact, the ACM (Association for Computing Machinery, the world s largest educational and scientific computing society, has expressed support for this bill. In a letter to NJ Representative Rush Holt on July 10, 2009, the ACM U. S. Public Policy Council (USACM) states that they support the provisions of the bill requiring that voters have an independent means of verifying their votes [5]. The USACM serves as the focal point for ACM s interaction with U. S. government organizations, the computing community, and the U. S. public in all matters of U. S. public policy related to information technology [6]. The ACM reported that concerns about unverifiable proprietary voting machines are rising. The organization conducted a survey among its members and 95% expressed concerns about the current state of our voting machines and recommended serious safeguards be put in place [7]. The USACM has put together a policy statement. In summary, the policy statement recommends that all voting systems have strong safeguards and rigorous testing in their design and operation. The policy statement outlines the need for a verification process that may serve as an independent check on the result that is produced and stored in the system [8]. 1.1 Help America Vote Act of 2002 One of the most significant improvements to election reform in decades, the Help America Vote Act of 2002 (known as HAVA) was adopted approximately two years after the controversy surrounding the 2000 presidential election. HAVA created new mandates for states to follow. Since elections are governed at the 3

20 state level, it is up to the states to determine how to interpret and adhere to the act. Payments and grants are available to states in various sections of the law. In 2004, approximately $1.3 billion of appropriated funds were disbursed to 42 states, American Samoa and the District of Columbia [9]. One of the key decisions of HAVA was the establishment of the Election Assistance Commission (EAC). The EAC oversees the distribution of funds and assists states in adapting to new standards. Although the commission has no federal regulatory authority, it gives election administration national visibility and serves as a focal point for states. As part of HAVA, the following technically interesting initiatives are administered by the EAC: Improved Voting Systems - HAVA gives the EAC an active role in developing guidelines on the certification of election machines. Voting system requirements are specified under HAVA such as the necessity of audit trails and the replacement of punch card systems. The Technical Guidelines Development Committee (TGDC) was established to develop and maintain a nationally accredited specification called the Voluntary Voting System Guidelines (VVSG) [10]. The committee is also responsible for the accreditation of national Voting System Test Labs (VSTL) where vendors can bring their election machines to gain certification. Statewide Voter Registration Databases - Under the act, each state is required to maintain an up-to-date electronic list of eligible voters. This database must be capable of sharing information with other states as well as the federal government. To help states realize and overcome challenges in implementing and maintaining the database, the EAC asked the National Research Council (NRC) to form a technical committee and hold workshops among state officials and technology experts. In April 2008, the committee 4

21 released its interim report, which outlined various challenges and described potential short term and long term recommendations [11]. Election Administration Issues - The EAC is required to study the implications of electronic voting, human machine interaction, military and overseas voting, voters who register by mail, identification of new voters, as well as accessibility for voters with disabilities. Provisional Ballots - If a voter s name does not appear on the official list of eligible voters for that polling place, he or she is entitled to cast a provisional ballot. The ballot will be counted at a later date if the provisional voter is found to be entitled to vote. Although a step in the right direction, many believe HAVA also had an unintended consequence. According to a letter received from Congressman Rush Holt on November 23, 2010, HAVA fueled a rush by states and localities to purchase computer voting systems that suffer from a serious flaw voters and election officials have no way of knowing whether the computers are recording votes accurately. [12] States that receive funding under HAVA are required to adhere to set standards as well as establish a state run grievance procedure to handle potential complaints. There are also funds available to encourage college and high school students to participate in the political process by volunteering as poll workers. The full contents of the act can be found on the EAC website ( 1.2 Voluntary Voting System Guidelines The National Institute of Standards and Technology (NIST) is the federal technology agency that works with industry to develop and apply technology, measurements, and standards [13]. At the request of the Technical Guidelines 5

22 Development Committee (TGDC), the National Institute of Standards and Technology (NIST) has drafted and actively maintains the Voluntary Voting System Guidelines. The VVSG is considered the most important technical specification available for election technology. All involved in the creation of election software and hardware need to consult and adhere to this document to be considered serious election technology manufacturers in the United States. The VVSG is broken up into two volumes as follows: VVSG Volume I: Voting System Performance Guidelines details the functional capabilities required of all voting machines. VVSG Volume II: National Certification Testing Guidelines describes the testing process that is designed to provide documented independent verification by an accredited testing lab. The EAC approved their 2005 version of the VVSG recommendations on December 13, This standard contained the first federal standard for Voter Verified Paper Audit Trails (VVPAT). Many states require that their voting systems include a paper trail. The VVSG is a living document. Immediately after the 2005 version was approved, the next iteration of recommendations was started and completed in August The 2007 comments take a closer look at security requirements as well as equipment integrity and reliability [10]. In February 2009, the EAC adopted a VVSG schedule stating that new versions of the VVSG should be released in five year intervals. At the time of this writing, the 2007 VVSG guidelines public comment period has ended and the EAC is reviewing all comments and making final modifications. If a voting system meets the defined guidelines, it is considered nationally certified. Although NIST is developing a set of public test suites that check for 6

23 adherence to the recommendations, the EAC assumes federal responsibility for accrediting voting system test laboratories and certifying voting equipment. The certification process is a means by which vulnerabilities that could result in failure to complete operations in a satisfactory manner may be detected. 1.3 Concerns about Election Technologies There are countless stories of elections being bought or stolen, ballot miscounts and voter fraud. Voting systems are very demanding and have conflicting requirements which leads to increased complexity. They are expected to tally accurately, and to be fully secure while maintaining the secrecy of the vote. Officials around the country are spending millions of dollars on proprietary systems from private vendors and still can t tell if the software is counting votes properly. Summarized below are the main concerns that this thesis addresses Software Independence In a white paper written for the TGDC, Ron Rivest of MIT and John Wack of NIST define software independence in voting systems as follows, A voting system is software independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome [14]. In other words, the voting system should produce records in a manner that can be audited by other means than the use of its own software. They further propose that software independence in voting systems be preferred, and software dependent voting systems be avoided. An example of a software dependent voting system is the Direct Recording Electronic voting machines (DREs) used in several states. In an election using DREs that took place in the 13th Congressional District of Florida in 2006, there was a slim margin of only 369 votes. It was determined that in Sarasota County, 7

24 where DREs with no paper trail were used, 18,000 votes went unrecorded [15]. Since there was no software independence, and no independent audit record of any kind, the true intentions of the voters in this race will never be known. In contrast, an example of software independence is a system that maintains a paper trail that can later be used for recounts. In the 2008 U. S. Minnesota Senate race between Senator Norm Coleman and comedian Al Franken, a narrow margin of less than 500 votes in a 3 million ballot race triggered a hand recount under Minnesota law. Ruth Johnson, a clerk from Oakland County wrote in a concerned letter to EAC Chairwoman Rosemary Rodriguez just prior to the election, The same ballots, run through the same machines, yielded different results each time [16]. The optical scan machines that Ms. Johnson was referring to were manufactured by Election Systems and Software (ES&S) and are known as the M-100 optical-scan machines. They are considered to be a later generation of the OpTech machines we use here in Rhode Island. ES&S disputed Johnson s claim and attributed the problem to operator error. Regardless of the cause of the problem, the paper ballots gave the system software independence and allowed for a hand recount. In Rhode Island, fortunately we still have a paper trail of ballots that can be recounted. As we consider new technologies, it is important that we continue to improve the software independence of our system and not diminish it Proprietary Software and Hardware Most election machines in use today are built and maintained by private companies and are totally proprietary. The OpTech machine used in Rhode Island is proprietary and maintained solely by Election Systems and Software (ES&S). During an election, voters can observe if the ballot is accepted by the machine and if the count increments. If there is a problem, an error message may be 8

25 displayed. Voters cannot observe if the ballot is counted correctly, accepted without miscalculation or used to cast votes for their intended candidates. Many computer scientists believe that election machines and processes should be open, transparent and available for public examination. The code should be subject to periodic reviews by qualified computer scientists in an open environment to be sure the system is error free and operates as intended Chain of Custody Chain of custody in an election refers to the safe keeping, control and secure transport of ballots, as well as the hardware and software required to conduct an election. The public should feel confident that the ballots and election machines are secure from the moment of their creation until the final tally at the Board of Elections. Unfortunately, elections today are entrusted to the hands of a few officials and the public has no means to verify this process. We will explore various forensic techniques to rectify this situation Universal and End-to-End (E2E) Verification Traditional voting systems do not allow for verifiability or auditability after the election takes place. There are many interpretations of what it means for an election to be verifiable. At the time of this writing, no agreement on a formal definition has been reached. Most agree that the verifiability of elections is considered to be end-to-end when voters feel confident that their vote was cast as intended, recorded properly and included in the final tally. End-to-end verification requires that strong evidence exist that the voter s ballot is part of the final tally while at the same time it takes care not to expose the voter s identity. Universal verification further requires that anyone be able to audit the election and feel comfortable that all votes were counted and the election was carried out accurately. 9

26 Most end-to-end voting systems emerging today provide the user with a receipt with an unique identifier that can be looked up on a bulletin board to verify the vote was included in the final tally. To keep a voter s choices secret, the link from the receipt to the actual candidate choices remains hidden using various cryptographic methods. Although it remains secret in theory, the link exists and if necessary can be decrypted. This puts into question the definition of secret ballot [17]. Most of the systems analyzed require the auditors to understand cryptography. Therefore it is our opinion that these systems cannot considered universal verifiable. We will explore this notion further when we discuss our findings. 1.4 History of Voting in Rhode Island Forced to flee Massachusetts for fear of religious persecution, Roger Williams founded Rhode Island in Williams purchased land from the Narragansett tribe and established the first European settlement in Providence, Rhode Island. He established a policy of religious and political freedom and was soon joined by Ann Hutchinson who founded Portsmouth in 1638 and William Coddington and seven others who founded Newport in 1639 [18]. In 1663 King Charles II of England granted the Colony of Rhode Island and Providence Plantations a royal charter and the colonists created a document that was used to govern until 1843 when Rhode Island s first Constitution was approved. In the early years, only freemen (property owners) had the right to vote and they were required to travel to Newport to cast their votes. Voters were either given blank sheets of paper where they filled in the name of the candidates or voted by voice in a town meeting. Since traveling to Newport was an incumbency for many, RI invented the first system of using proxy. These proxies, or printed paper ballots, contained a list of candidates from which freemen could choose to elect, or cross out a name and write in a candidate of their choice, and sign the 10

27 Figure 1. Liberty, Property, & No Stamps - A proxy ticket from 1766, Schofield Collection [19] back of the ticket (See Figure 1). The tickets would then be delivered to Newport [19]. Different political parties provided the freemen with their faction s ballots and made no attempt to offer secrecy. The ballots were often printed in different colors to distinguish one political group from another. To combat this practice the use of envelopes began to be enforced. Then in 1853 opponents of secrecy came into power and the envelope was made optional. Voters who were bribed could prove who they voted for once again. On March 29, 1889, the Rhode Island General Assembly adopted the Australian type of secret ballot in envelopes which officially ended the practice of voting using proxy tickets for political parties [20]. Once the ballot became standardized, it became possible to create mechanical devices for ballot casting and counting. Throughout history, technologists have 11

28 lead the way to the formal articulation of the requirements of voting systems. [21]. The mechanical lever machine was introduced in New York in the late 1800s. To use the lever machine, voters entered a tall booth where a curtain was drawn behind them for privacy. The machine consisted of a series of levers where the voter simply moved a lever to indicate his choice. After the voter was done making his choices, he pulled a large lever that cast his votes as well as opened the curtain behind him. The mechanical lever machine did not keep track of individual ballots but just maintained a counting mechanism that recorded the total count for each candidate. The lever machine was introduced in Rhode Island in the middle of the twentieth century and was in action here until being replaced by the optical scan precinct count voting system in 1997, which is still in use today. 1.5 Current RI Election Law The Rhode Island Board of Elections under the Secretary of State is the agency charged with the regulation of election law. According to their mission statement, The Board of Elections protects the integrity of the electoral process and effectively and efficiently administers the election laws of the United States and the State of Rhode Island [22]. Rhode Island has a large body of legislation concerning elections which is collected in Title 17 of the State of Rhode Island General Laws. Summarized here are the statutes that are important for this study. The laws in their entirety can be found in the Rhode Island Legislative online data system ( Title 17, Chapter 19 concerns the conduct of election and voting equipment and supplies. Within section there are three definitions that are important for this work. Computer Ballot - A computer ballot is defined as a paper ballot prepared by the office of Secretary of State for use in conjunction with the optical scan 12

29 precinct count system. Voting Equipment - Voting equipment is an optical scan precinct count voting system, related memory device, all related hardware and software, and voting booths. Vote - A vote is a mark made between the head and tail of the arrow on the computer ballot next to the party, candidate, write-in candidate or question, as is applicable, for whom the voter casts his or her ballot. Section lists the specifications and minimum requirements for the optical scan precinct count voting system. This section gives the details of how a voting system shall be constructed and how its software is required to operate. It also includes information about tallying of votes, designing of ballots, testing of machines and training of poll workers. This section points out that the manufacturer must comply to the Federal Election Commission standards and must pass the certification tests conducted by an independent testing company. When it is time to purchase new voting equipment, these specifications are included in the request for proposal. Sections through discuss ballot arrangement and how ballots will be printed and furnished. Some of the details discussed include candidate, local question and party emblem placement, as well as color and form choices. Section describes the preparation and testing of the voting equipment prior to an election. It states that the Board of Elections is responsible for the testing of the memory cartridge, each machine for logic and accuracy, and the set up at each polling place. There are no specific tests listed at this time. Sections through concern the chain of custody of the optical scan precinct count units before and during the election. They describe the process of delivering keys to unlock the machines and using envelopes to keep the keys 13

30 secure. In the event of a system failure, the process for replacing machines is also discussed. Sections , , and describe the chain of custody of the voting machines and ballots after the election. The procedures for delivering the ballots and voting equipment back to the Board of Elections is also discussed. At the end of each statute, a list of the last date that the law was updated is maintained. According to the History of Section subsection, most of Title 17 - Elections was last altered in 1996, just prior to the acquisition of the optical scan equipment. From the wording of the statues it is clear that the legislation was written specifically to accommodate the entry of optical scan technology. In particular the OpTech brand name also appears in many places throughout the legislation. Given the 1996 date, it also follows that the laws in their current form make no reference to new provisions from the Help America Vote Act or the Voluntary Voting System Guidelines. We will revisit the laws later in this work when we recommend changes to reflect the need to include emerging technologies, stronger chain of custody rules, as well as eliminating the specific brand names from the legislation in their entirety. List of References [1] State of Rhode Island General Assembly. Rhode Island General Laws, title 17 - elections - chapter conduct of election and voting equipment, and supplies. Last accessed on December 23, [Online]. Available: [2] B. N. Gedan, Rhode Island: Paper vs. scanner: Ensuring the vote s integrity, Providence Journal, December [3] United States Congress. Help America Vote Act of Last accessed on December 17, [Online]. Available: the eac/ help america vote act.aspx 14

31 [4] United States Congress. Voter Confidence and Increased Accessibility Act of Last accessed on December 17, [Online]. Available: [5] P. Eugene H. Spafford. A letter to representative Rush Holt in support of the voter confidence bill. Last accessed on December 17, [Online]. Available: holt bill Final3.pdf [6] ACM US Public Policy Council. USACM news and activities. Last accessed on December 17, [Online]. Available: [7] U. S. Public Policy Committee of the Association for Computing Machinery (USACM). Comments on voluntary voting system guidelines. Last accessed on December 17, [Online]. Available: http: //usacm.acm.org/pdf/usacm VVSG Comments Final.pdf [8] U. S. Public Policy Committee of the Association for Computing Machinery (USACM). ACM policy recommendations on electronic voting systems. Last accessed on December 17, [Online]. Available: [9] R. G. Saltman, The History and Politics of Voting Technology. Palgrave Macmillan, [10] Draft Voluntary Voting System Guidelines Version 1.1, National Institute of Standards and Technology, May [11] Improving State Voter Registration Databases Final Report, National Research Council of the National Academies, [12] R. Holt, A letter to Suzanne Mello Stark concerning HAVA, November 2010, letter received in response to my support of Voter Confidence and Increased Accessibility Act. [13] National Institute of Standards and Technology (NIST). National Institute of Standards and Technology (NIST). Last accessed on December 20, [Online]. Available: [14] R. L. Rivest and J. P. Wack. Massachusetts Institute of Technology and National Institute of Standards and Testing. On the notion of software independence in voting systems. Last accessed on December 23, [Online]. Available: [15] CNN Politics. Florida candidate disputes election results. Last accessed on December 23, [Online]. Available: 1 election-results-republican-vern-buchanan-voting-system? s=pm:politics 15

32 [16] K. Zetter, Undecided Minnesota senate race used machines that flunked accuracy tests, Wired Magazine, November [17] D. W. Jones, Some problems with end-to-end voting, in End-to-End Voting Systems Workshop, October 13-14, 2009, Washington DC. University of Iowa, [18] State of Rhode Island Secretary of State. History of Rhode Island. Last accessed on December 21, [Online]. Available: http: //sos.ri.gov/library/history/ [19] R. J. DeSimone and D. C. Schofield, Rhode Island Election Tickets, A Survey. University Library, University of Rhode Island, April [20] M. Moakley and E. Cornwell, Rhode Island Politics and Government. University of Nebraska Press, [21] D. W. Jones, Early requirements for mechanical voting systems, in RE- VOTE 2009 Proceedings of the 2009 First International Workshop on Requirements Engineering for e-voting Systems, [22] State of Rhode Island Board of Elections. State of Rhode Island Board of Elections mission statement. Last accessed on December 22, [Online]. Available: 16

33 CHAPTER 2 Rhode Island s Election Process and Voting System The United States Congress passed the Help America Vote Act of 2002 (HAVA) in part to provide federal funding to help states modernize voting equipment and to adhere to the law s new procedures. HAVA also established the U. S Election Assistance Commission (EAC) to administer the federal funding and to provide guidance to states. The law was put in place after a serious recount problem that happened in Florida during the 2000 presidential election. After HAVA passed, several states quickly upgraded their equipment from punch card systems to paperless direct recording electronic voting systems (DRE) only to introduce new problems without a paper trail to perform necessary recounts. In contrast, Rhode Island has had very few problems with elections and has managed extremely well during this intense period of scrutiny and change. This chapter documents the election process as it exists in Rhode Island today. It is our hope to provide the necessary background for recommendations for future elections in a post-hava world. Overseen by the Secretary of State s office, the Board of Elections is responsible for administering all governmental elections in Rhode Island. At the time of this writing, other than what is provided in Title 17, no public documentation is available pertaining to the pre-election process required to set-up the voting systems or the transport and custody of the election technology. Since the voting machines themselves are proprietary, limited information regarding how they work is available, and the software used is undisclosed. This is not uncommon or unusual. Most election processes today are in the hands of a few officials and the election technology is maintained by private companies under contract. 17

34 Since 1997, the contract in Rhode Island has been held by Election Systems & Software based in Omaha, Nebraska. ES&S has been in operation since 1979, and maintains technology in four countries and 41 states with more than 4,000 election offices [1]. It is the largest manufacturer of election equipment in the country with a revenue of $149.4 million in 2008 [2]. In fact, the United States government has recently shown concern over the size and authority of ES&S. On March 8, 2010, the Department of Justice stepped in and stopped a potential merger between the two largest voting equipment manufacturers, ES&S and Premier Election Solutions [2]. The Antitrust Division of the Department of Justice, along with nine state attorneys general, filed a civil antitrust lawsuit alleging that the merger would significantly reduce competition. According to the complaint, if ES&S was allowed to acquire Premier, 70 percent of voting equipment sold in the United States would be maintained and manufactured by one company. 2.1 OpTech III-P Eagle Precinct Counting System Manufactured by ES&S, the OpTech III-P Eagle optical ballot tabulator is the voting system in use in governmental elections in the State of Rhode Island (Figure 2). The OpTech is an electronic ballot counting device which reads ballots by scanning for voter s marks. Hidden behind a rear locked door, each machine has a removable memory pack that is programmed to contain the specific information about the ballot format for the precinct (Figure 4). The machine operates at the precinct level and at poll closing is also used to tally the votes. The election results are printed on a paper tape that is dispensed at the top of the election machine. The results are also stored on the removable memory pack. The capability to use dial-up and transmit the election results over phone lines also exists. 18

35 Figure 2. OpTech III-P Eagle (Front) When the ballot enters the machine, it is scanned and the votes are recorded. If an error occurs with the ballot (overvote, undervote, etc.), the ballot is ejected partially from the machine and the paper tape records further instructions for the poll worker and voter. When an uncounted, undamaged ballot is returned to the voter, the voter has the choice to override and force the machine to accept the ballot. In this situation, the poll worker uses the keypad on the back of the machine (Figure 4) to enter a #3. This forces the machine to accept the ballot although the problem races will not be counted. To maintain the paper trail, the OpTech sits on top of a three compartment ballot box. When a ballot is cast, the ballot is pulled fully into the machine and directed into one of the locked compartments for storage (see Figure 3). If a write-in candidate is indicated on the ballot, the ballot is directed to the center compart- 19

36 Figure 3. OpTech III-P Eagle (Side) ment (1). The ballots with write-in candidates can then be easily separated and counted after the election. All other ballots are directed to the back compartment (2). In the event of a power outage or machine malfunction the emergency compartment on the front of the machine is unlocked manually and the ballots are stored there until the problem is resolved (Figure 2). When the machine comes back into service, a poll worker removes the ballots from the emergency front compartment and feeds the saved ballots into the machine to be counted [3]. The emergency compartment is then relocked. For security reasons, access to the memory pack, power cord, keypad and ballot compartments are kept locked. A set of keys, as seen in Figure 5, is safeguarded and used to open the locked areas on the election machine when needed. Rhode Island and all states that use the OpTech voting machine were notified that ES&S will no longer manufacture and maintain the machines as of The Board of Elections (BOE) has indicated that the contract with ES&S ends in June 2011, and the BOE would like to have new machines in place for the next Presidential election in At the time of this writing, the funding for a new contract has not been appropriated, and it is unclear when the request for proposal process will begin. 20

37 Figure 4. OpTech III-P Eagle (back) Figure 5. OpTech III-P Eagle (keys) 21

38 2.2 Ballot Layout The OpTech ballots may vary from one column to three columns in width and may be printed on one or both sides. Each column may have one or more races. The front and back of a ballot from the November 2, 2010 is depicted in Figure 6 and 7. This ballot was made available on the Rhode Island s Secretary of State s office prior to the November 2, 2010 election ( After the election results were final, the sample ballots were removed from the website and can no longer be found online. Ballots are marked using the felt marking pen provided or with a #2 lead pencil by connecting the head and the tail of the arrow that points to the voter s choice of candidate. 2.3 Voter Experience on Election Day The voter arrives at the polling place and checks in at the registration desk by stating their full name and residential address. The voter s name and address is looked up in the poll book. Next to the voter s name is a label with a bar code that contains the voter s information. This label is removed from the poll book and affixed to the next numerical ballot application. The voter is asked to sign the ballot application. The voter is given a ballot in a secrecy sleeve and is instructed to go to a voting booth to fill out the ballot. In the booth, the voter uses a felt pen that is provided to mark the ballot. Once finished marking the ballot, the voter places the ballot back into the secrecy sleeve and walks to the OpTech machine. The voter then removes the ballot from the secrecy sleeve and inserts the ballot into the voting machine. if the ballot is read successfully, the machine accepts the ballot and the public display counter increases by one. If the ballot is rejected, the ballot will be ejected half way and the machine will beep. A poll worker will instruct the voter 22

39 Figure 6. An example of a Rhode Island ballot from November 2, 2010 election (front side) 23

40 Figure 7. An example of a Rhode Island ballot from November 2, 2010 election (back side) 24

41 on his/her right to override or to receive a new ballot. Once the ballot is accepted, the voter leaves the polls. 2.4 Pre-Election Set-up Prior to each election, it is the responsibility of the Board of Elections to create ballots and to program the election machines to recognize the appropriate ballot for each precinct. To help in this process a project manager, an employee of ES&S, is assigned to Rhode Island and works at the Board of Elections headquarters full time as part of the contract. The software used to create ballots and link to OpTech machines is called the Unity Election Management System and is also developed and maintained by ES&S [4]. Unity consists of the following components: Unity Election Data Manager (EDM) - EDM is the database that maintains the information about all races and candidates to allow for creation of ballots by precinct. This data is manually entered by the project manager and is updated as needed prior to each election. Unity Ballot Image Manager (BIM) - This application creates images of each ballot. Depending on the number of races, the number of columns and if two-sided ballots are needed is determined. Many cities and towns have their own rules for position of races which further complicates the process. The program also creates a bar code that identifies each ballot image and places it in the ballot header. Once the ballot images are complete, they are forwarded to a professional printer where the hard copies of the ballot are made. After completion, ballots are returned to the Board of Elections in shrink-wrapped packages that consist of 100 ballots to a pack. 25

42 Unity Programming Manager (HPM) - This application imports each ballot image and burns it to a memory pack. One by one, the memory packs are burned and then locked into an OpTech machine with a blue plastic seal. Once burned, the memory pack will only recognize the one ballot image that it was assigned. Unity Data Acquisition Manager (DAM) - After the election, this program reads in each memory pack and tallies the results across precincts. Unity Election Reporting Manager (ERM) - ERM takes in the election results from the data acquisition manager and generates paper and electronic reports. Prior to the delivery to precincts, each machine is tested to verify that it correctly recognizes the appropriate paper ballot. The number of ballots tested depends on the number of races and candidates on each ballot. The ballots are marked to be sure that all ballot positions are checked. On average there are twenty ballots run through each machine. When the ballot is scanned by the OpTech machine, the bar code is checked. If the ballot bar code does not match the bar code programmed into the memory pack, the ballot is rejected. 2.5 Chain of Custody Prior to the election, the machines and ballots are delivered to each precinct. To maintain a chain of custody, a delivery slip is used to track the equipment. The slip is signed when picked up and delivered by the transport company and the local board of canvassers. At the time of this writing, there is no documentation on processes used to secure the equipment. 26

43 2.6 Audit Capability The OpTech system maintains a paper trail. Therefore, in the event of a close race, the ballots can be reentered into the machine and recounted. In the event of a system failure, the paper tape is the only source of audit to discover the fault. The Rhode Island Board of Elections has written a manual for poll workers that contains some of the most important error messages [3]. For any other errors, the poll workers are instructed to call the Board of Elections. Perhaps this is a good security measure. 2.7 Critique As is common throughout the United States, Rhode Island s election machines are built and maintained by a private vendor. The software is not available for review and technical documentation is a closely guarded secret. The OpTech voting system was designed over twenty years ago. Therefore, it does not have the audit trail capability that is expected of election machines today. There is no universal verification at this time. A voter cannot observe if a ballot is counted correctly or accepted without miscalculation. A voter cannot see if his or her vote is included in the tally. Since Rhode Island is a small state, it has the benefit of needing only one election system for the entire state. The Board of Elections was extremely helpful during this study and answered all our questions openly. More written documentation about the election process would increase the openness of the system. List of References [1] Election Systems and Software. Election Systems and Software company website. Last accessed on March 9, [Online]. Available: http: // [2] United States Department of Justice. Justice Department requires key divestiture in Election Systems and Software/Premier Election Solutions 27

44 merger. Last accessed on March 9, [Online]. Available: http: // releases/2010/ htm [3] M. J. Nunez, Poll Worker Manual, RI Board of Elections, 55 Branch Avenue, Providence RI, [4] Election Systems and Software. RFI V-15.2, proposal for an automated voting system for the state of New York. Last accessed on March 9, [Online]. Available: ttp://vote.nyc.ny.us/pdf/documents/boe/rfi/g4/ess/00% 20NYC%20Cover%20and%20Spine.pdf 28

45 CHAPTER 3 Existing Technologies In this chapter the fundamental technologies used most often in the emerging group of audit-capable voting systems are examined. The most prominent voting systems that influenced our work are then surveyed. It is important to note that all the systems outlined are in their infancy. To the best of our knowledge no comparative critique exists in the form presented here. To provide a workable comparison, each system was summarized into the categories listed below. The details that were irrelevant to this thesis were intentionally left out and can be found in the sources referenced. Ballot Layout - This section provides information on the ballot s necessary elements. For simplicity, a single contest race is depicted. Voter Experience on Election Day - To provide election verifiability, each system adds a certain level of complexity to the voting process. Analyzing the voter experience helps weigh the changes for the voter against the value the complexities add. Back End Process - The back end process refers to the necessary procedures and technologies used to set up and conduct an election. Audit Capability - This section explains the audit capabilities of each voting system. Critique - An analysis of the pros and cons of each system, with emphasis on an examination of the practicality of use in Rhode Island, is included. 29

46 3.1 Roles It takes many individuals to conduct and audit a fair election. For consistency, the following roles are defined and used throughout this thesis: Voter - A voter is someone who casts a ballot and if desired retains a receipt to conduct an audit in the election. Trustee - A trustee is an election official responsible for conducting the election. To be sure that no one official has absolute authority and is in a position to fix an election, it is necessary to have several trustees. Auditor - An auditor is officially responsible for verifying the election. For the public to trust that an election is executed fairly, auditors should not be election insiders. They should be selected from third-party watchdog groups and should represent all prominent political parties. In all cases here, it is necessary for the auditor to understand the underlying technologies enough to be able to verify complex mathematical proofs and possibly write code to verify election results. Poll Worker - A poll worker is hired and trained to be at the polls to help voters cast their ballots and keep the election systems up and running properly, as well as maintain voter privacy. Poll workers check-in voters by verifying that his/her name is on the voting list and having the voters sign a ballot application. 3.2 Fundamentals This section contains a brief explanation of the underlying technologies that are common among the voting systems analyzed. The topics and how they relate to voting are described here and then referenced when appropriate throughout this dissertation. 30

47 3.2.1 Mix Networks Often referred to as mixnets, a mix network is a protocol used to purposely obfuscate a path through a network. In voting systems, mixnets are used to create an anonymous but verifiable link between secret data used to audit the vote and the chosen candidates. This link must be kept secret because, if exposed, voters are able to prove who they voted for in an election. David Chaum first introduced the concept of mixnets in 1981 [1]. There are many versions of mixnets that have been proposed since Chaum s first version [2]. In its basic form, a mixnet is very similar to a switchboard where a message travels from server to server and each time an encryption or other secret operation is performed. Mixnets are sometimes called onions because there may be several layers of obfuscation. To be assured with high probability that a mixnet is operating properly, it must be audited and proven correct. This can be tricky in voting systems since exposing the entire path would reveal the secret. To address this, many mixnet implementations use a technique called Randomized Partial Checking (RPC) [3]. Rather than provide a complete proof that the mixnet is correct, a pseudorandomly selected subset of the mixnet is relieved and tested. RPC is used in voting systems because it provides a mechanism to audit the mixnet while keeping the link between the secret data and the candidate concealed. A version of a mixnet is used in the Scantegrity [4] and Prêt à Voter [5] systems discussed below. The initial version of Helios also used a mixnet[6], but this system has since switched to a homomorphic tallying system[7] Public Key Encryption Public key cryptography was first proposed by Diffie and Hellman in 1976 [8] although a practical application of this cryptographic idea was not suggested until 31

48 Rivest, Shamir, and Adleman s paper in 1977 [9]. Public key cryptography is the prominent encryption mechanism used to encrypt votes and other information that, if exposed, would threaten voter privacy. Public key systems are well suited for voting protocols since you can publish the public key used to encrypt the votes, while keeping the private key safeguarded in the hands of the election trustees. This technique makes it possible to maintain an open source election system that is also capable of keeping confidential election data secret. Public key encryption systems have three basic properties that are highly desirable for use in voting systems: distributed, threshold and homomorphic encryption. Distributed Encryption To lower the probability of a corrupt election, it is important to be sure one single trustee can not know and be solely responsible for generating private keys. Therefore many voting systems use a distributed key system where the private key is shared among several trustees. When it is time to generate the keys, a group of trustees must meet to generate the keys with auditors present. In order for the trustees to decrypt the secret, it is required that they provide their share of the private key. Threshold Encryption Voting is a real world scenario and therefore it is conceivable that a trustee may not be available for the decryption phase. A desirable property of a voting system is its ability to decrypt the secret when an agreed upon threshold of trustees is present. If there are n trustees, and the threshold was set at k, a percentage of n, then it would take at least k trustees to agree and decrypt the secret. If fewer than k participated, the secret remains hidden. 32

49 Homomorphic Encryption An encryption algorithm E is homomorphic if given E(X) and E(Y ), one can obtain E(X Y ) without decrypting X, Y for some operation [10]. In voting systems the desired homomorphic property is the addition function. This makes it possible for election systems to to put all the encrypted votes on a bulletin board and tally the votes without having to decrypt them. Each voting machine uses a public key to encrypt the ballots. Election officials can then use the function to tally the votes such that E(X + Y ) = E(X) E(Y ) [11]. In versions of Helios, Prêt à Voter, and Scantegrity variants of the El-Gamal encryption system[12] are used. In Exponential El-Gamal, g m is encrypted rather than m to take advantage of the laws of exponents to achieve the additive homomorphic property [7]. In one version of Prêt à Voter, Paillier [13] is used which also can be shown to demonstrate the above properties Cryptographic Hash Functions A cryptographic hash function is an algorithm that performs a deterministic function on a block of data and returns a fixed size string called a message digest or hash value. In order to be valuable as a distinctive identifying characteristic of data, the function must be written such that it is infeasible that two distinct data blocks have the same message digest. Introduced in the 1950 s, the original purpose of hash functions was to detect errors in communications [14]. The procedure is as follows. A hash value is calculated and appended to the message prior to transmission. Once the message reaches its destination, the hash value is recalculated and compared to the transmitted message digest. If a difference is found, it is assumed an error occurred in transmission. One of the first hash functions to gain acceptance was the MD5 Message- 33

50 Digest Algorithm designed by Ron Rivest in 1991 [15]. MD5 takes a message of any length and outputs a 128-bit hash value. In 2004, two strings were found to have the same hash value (although the strings were highly implausible), therefore MD5 is no longer considered collision resistant and not recommended for use in security applications [16]. Since the initial collision, several other collisions have been found [17]. SHA-1 (Secure Hash Algorithm) is another widely used hash function which was originally designed by the National Security Agency (NSA) in 1995 to be used as a Federal Information Processing Standard (FIPS) [18]. Based on SHA-0, SHA- 1 takes a string of any arbitrary length and outputs a 160 bit hash value. In 2005 and again in 2008, collisions were found against SHA-1 as well [19] [20]. In 2006 NIST recommended that all federal agencies stop the use of SHA-1 and move to SHA-2 for all applications except hash-based message authentication codes (HMACs), key derivation functions (KDFs) and random number generators (RNGs) [21]. In some versions of the voting systems we analyzed, SHA1 was used for RNGs and KDFs. The SHA256 hash function was found in newer versions [22] Cryptographic Commitment Schemes In many of the cryptography-based voting systems, secret information is generated during the pre-election process that is encrypted and must remain secret and unchanged until the post-election process. Therefore it must be verifiable postelection that the information has remained unaltered. To accomplish this, some voting systems use a cryptographic commitment scheme based on hash values as discussed above. Commitment schemes were first formalized in 1988 by Brassard, Chaum, and Crépeau in the Journal of Computer and System Sciences [23]. A commitment scheme allows one to commit to a message (pre-election) while not revealing what 34

51 it is until sometime in the future (post-election). To commit to a message m, a secret random number r is first chosen. The commitment c is defined as c = commit(m, r) such that commit is the chosen commitment function. If you know c, no information is revealed about either r or m [24]. This process of performing the commitment function is called committing or binding the commitment to the message. As discussed above, SHA1 and SHA256 hash functions are found in the commitment schemes [22] as well as a random number generator based on a predetermined seed Trusted Workstation To generate sensitive information that must be kept private such as the private keys in the decryption algorithm or the necessary commitment tables, voting systems sometimes rely on a trusted workstation. A trusted workstation is a laptop or desktop that has been specifically built for extra precautions to ensure nothing can be input, output or saved without the knowledge of the election authorities. The trusted workstation has no hard drive or other permanent nonvolatile storage. The workstation can not connect to the internet or other computers in any manner. If there is an ethernet connection it is unplugged, or if there is a wireless card it is disabled or removed. To authenticate the use of the workstation, it is usually necessary for more than one election official to enter a password. The workstation is booted with a standard LINUX CD. The voting system s software is loaded using a portable storage device such as a USB memory stick. The secret data generated is stored on USB memory sticks and distributed to trustees and safeguarded as appropriate. The LINUX CD is then destroyed. This extra precaution ensures no one can gain access to the workstation at a later date, including the trusted official. 35

52 3.3 Aperio Aperio is a paper-based election system designed to create verifiable audit trails without the use of cryptography. The key approach is the use of randomized candidate order on the ballots so separate paper receipts can be created with the voter s mark in its proper location without the candidate names. This technique provides auditability while maintaining voter privacy. Aperio was first presented at the WOTE2008 conference by Aleks Essex et al of the University of Ottawa as a way to conduct high integrity elections for countries that have limited access to technology [25]. An electronic version of Aperio now exists, Eperio, which operates in a similar fashion but uses technology and some cryptography to keep the back end process secret [26]. Since the WAVERI system we present in this study was most influenced by the simplicity and elegance of the Aperio system, we present the Aperio variant here. A complete description of Aperio can be found at the EVT 08 website, Ballot Layout Called a Ballot Assembly the Aperio ballot consists of four sheets of paper separated by carbon paper. The top sheet is the ballot itself, with the randomized candidate names and corresponding ovals to mark the voter s choice. The second sheet is a receipt that has a serial number and the marked candidate s ovals without the candidate names. The last two sheets are audit sheets that contain predefined commitment reference numbers that are used during the audit process as well as the marked candidate s ovals without the candidate s names. On each audit sheet, there is also an empty box to write down the receipt numbers while auditing (see Figure 8). During the audit process, the auditors use the audit sheets to verify the elec- 36

53 Figure 8. An example of an Aperio ballot from Aperio: High Integrity Elections for Developing Countries [25] tion. In theory, you can have as many audit sheets as you wish, one for every interested political group if necessary. When the voter marks the top sheet, the mark carries on through all four sheets of paper. Therefore the voter s mark is seen clearly on all four sheets Voter Experience on Election Day A voter enters the polling place and is given a ballot assembly. The voter marks the top ballot which also marks the receipt and the audit sheets. The voter then separates the ballot assembly, drops the top sheet, (the ballot) into the ballot box, and the audit sheets into their corresponding audit boxes. The voter retains the receipt to be able to audit the election later or to give to their favorite watchdog group. To tally the votes, the trustees simply count them from the ballot box Back End Process There are three steps to setting up an Aperio election that are assumed to be conducted by a trusted election authority. 1. Create Ballot Assemblies - Each sheet of the ballot is first created separately 37

54 then joined with the other sheets. The top ballot sheet is created with the list of candidates in random order. The randomizing could be as simple as cyclic since there is not yet an association with serial numbers. Then the receipt is created by generating a random unique number and placing it on the receipt. The ballot and receipt sheets are then shuffled and stapled together randomly along with the audit sheets. 2. Build Commitment Lists - Each audit trail consists of two commitment lists. The receipt commitment list holds information about the serial number association to the ballot assembly. The ballot commitment list holds information concerning the candidate order association to the ballot assembly. If regarded together, the relationship between the serial number and candidate order is exposed. Therefore to conduct the audit process securely, only one of these lists is ever revealed. The other is destroyed during the audit process. The commitment list is made up of rows, each corresponding to one ballot assembly. The row holds secret information about the ballot assembly. The row number on the commitment list is called the commitment reference number. For each audit sheet in the ballot assembly, the commitment lists are created as follows: A commitment reference number (the row to fill in) is randomly chosen and a ballot assembly is randomly picked from the collection of ballots. The serial number from this ballot assembly is noted in the row of the commitment reference number on the receipt commitment list. The candidate order is noted in the row of the commitment reference number on the ballot commitment list. The commitment reference number is then noted on the receipt audit 38

55 sheet on the ballot assembly. This process is continued until all the ballots have been marked with commitment reference numbers on the audit sheet and all ballots have been included on the commitment lists. For each audit sheet, this procedure is repeated, therefore creating more than one independent audit trail. 3. Commit Ballot Assemblies to Commitment Lists - To ensure the vote remains secret, it is imperative that the association of the candidate order and the corresponding serial number is never exposed. Therefore, in the presence of auditors, each commitment list is placed in a separately sealed envelope and signed by the election trustees. At the time of audit, the ballot commitment list of one audit trail and the receipt commitment list of another audit trail is opened. Therefore the audit can be conducted without revealing the relationship of serial number and candidate order of the ballot assemblies Audit Capability audits: At the time of this writing, Aperio is capable of conducting the following Receipt Audit - A receipt audit allows voters and watchdog groups to make sure all the receipts are included in the final tally. An audit box is randomly chosen and opened. The corresponding receipt commitment list is opened and to secure voter privacy, the corresponding ballot commitment list is now destroyed. A receipt trail is created by going through the audit box one audit sheet at a time and looking up the commitment reference number on the commitment 39

56 list, finding the serial number and writing it down on the audit sheet. This receipt trail can then be published on a local bulletin board or newspaper so all voters can look up their receipt to be sure it was part of the vote. Tally Audit - A ballot tally audit gives auditors another way to verify the vote tally. The audit box that was not used for the receipt audit is opened. The corresponding ballot commitment list is opened and the corresponding receipt commitment list is destroyed. A ballot audit trail is created by pulling an audit sheet out of the audit box, looking up the commitment reference number and writing the candidate list in correct order on the audit sheet. The ballot audit trail can be tallied and compared to the official tally created from the ballot box. Ballot Audit - A print audit is a mechanism for auditors to feel confident that the ballot assemblies were built properly. To perform a print audit a number of ballots are set aside and marked as spoiled sometime during election day. After the election the spoiled ballots are compared with the receipt and ballot tally audit trails to be sure they match Critique Aperio is interesting because it creates a verifiable audit trail without the use of cryptography. Lacking complex mathematics, it is possible to explain this system to the general public. A criticism that has been leveled on many of the cryptographic-based systems is that the general public does not understand them [27]. The Aperio system has also inspired the possibility of creating an audit process for Rhode Island without introducing cumbersome mathematics. As in many of the proposed voting systems, Aperio assumes the trusted election authorities wish to conduct a fair and accurate election. If the trustees and 40

57 auditors are indeed corrupt, unlike cryptographic solutions, all the information can be easily available to review and alter. Since Aperio s back end process must be conducted in secret, it is considered a blackbox. To keep votes secure, the commitment lists must be built behind closed doors. The public has no way of auditing this part of the process. Ballot assemblies are primitive. It is not possible to prevent all poll workers from taking note of the candidate order-serial number relationship for a particular voter or group of voters. It could also be envisioned that a poll worker may conspire with voters and organize the ballot assemblies in a manner that guarantees a certain ballot assembly to a particular voter. That would help the voter prove who they voted for and ultimately help sell their vote. Since the voter can see the individually marked ballot and possibly point it out to an interested party, the voter could try to mark the ballot uniquely in an attempt to sell his or her vote. Displaying candidate names in a random fashion is a compelling idea that deserves further study. Although ballot creation and set-up become more complex, random candidate lists provide the voters with a way to see their exact markings on ballots without disclosing their vote. This instills fairness in the election process since each candidate has the opportunity to appear on the top of the list an equal number of times. Rhode Island has specific laws about candidate order on the ballot so this system would not work for us today [28]. However an investigation is certainly warranted for adaption in the future. 3.4 Scantegrity II Scantegrity II is an open source, end-to-end cryptographic solution created to be used in conjunction with existing optical scan voting technology. The fundamental principle resides in secret codes, referred to as confirmation codes, that are 41

58 printed in invisible ink on the ballot. When the voter casts a ballot, the code is revealed. The voter can then look up the confirmation code on a bulletin board to be confident his vote was counted and included in the final tally. Based on its predecessor Punchscan [29], Scantegrity was originally proposed in a whitepaper written by David Chaum in 2007 [30]. Today, the Scantegrity team has grown significantly and consists of researchers from many universities [22]. In 2009, Scantegrity II had a major success when it was selected to be the first end-to-end cryptographic solution to be used in a United States governmental binding election held in Tacoma Park, Maryland [31]. Since Scantegrity is evolving, several versions exist. This work analyzes the technical details as presented in the proceedings of the 2008 USENIX/ACCURATE Electronic Voting Technology Workshop [32]. The latest information as it unfolds can be found on the website, scantegrity.org Ballot Layout The Scantegrity ballot consists of a list of candidates with empty ovals beside each choice. There is an unique serial number assigned to each ballot. The serial number is visible at the top of the ballot as well as on a tear off section that acts as a receipt and is separated by a perforated line at the bottom of the ballot (Figure 9 shows an example of a Scantegrity ballot). To choose, the voter fills in the oval that corresponds with the candidate of choice. When the oval is filled in, the ink in the pen reacts with the ink on the ballot and a confirmation code appears [32]. The voter only sees the confirmation codes of the candidates they have chosen. The confirmation codes on the ballot are unique within a contest and are generated randomly during the pre-election backend process. If a voter wishes to verify his vote, he writes down his confirmation codes 42

59 Figure 9. An example of a Scantegrity II ballot as depicted in Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes [32] on the receipt, tears it off and takes it home. With Scantegrity, candidate names always appear in the same order and ballots look identical except for the unique serial number. The uniqueness of the voter s choice is provided by the hidden confirmation code Voter Experience on Election Day When a voter enters the polling place, he is given a ballot and a special decoder pen capable of making the confirmation codes appear properly. The voter enters the voting booth and uses the decoder pen to mark the ballot. The voter, if he desires, writes down the now visible confirmation codes on the receipt portion of the ballot, separates it, and carries the top portion of the ballot to the optical scanner. The voter then enters the ballot in the optical scanner and retains the receipt for later verification Back End Process The back end process for Scantegrity can be divided into the following steps: 1. Confirmation Code Generation - The election trustees enter their share of 43

60 a secret seed into a pseudorandom number generator on a trusted workstation. This action generates the unique confirmation codes needed for all the ballots. The seed chosen must be unpredictable, but after election day must be verifiable. For the Tacoma Park election, the seed was the closing stock prices in the Dow Jones Industrial Average from the day before [31]. This technique was first proposed by Jeremy Clark et al from the University of Ottawa [33]. 2. Ballot Table (P ) Creation - The ballot table P is used to generate the invisible ink based paper ballots for the optical scanner. Each row represents a ballot and is indexed by a ballot serial number. Each column holds the confirmation codes that correspond to every candidate and is referenced by the candidate names. One by one the commitment codes are placed in the order they were generated in the table. Since P exposes the relationship between the confirmation codes and the candidates, it must never be published. 3. Commitment Table (Q,R,S) Creation - To obfuscate the candidateconfirmation code relationship, Scantegrity uses a two-stage left and right mixnet. To build the mixnet, the following private tables are generated prior to the election: Permuted Ballot Table Q - This table holds the confirmation codes for each ballot, but the table is permuted to hide the candidateconfirmation code relationship. Table Q is committed and the committed version is published. Shuffle Table R - The shuffle table R holds two random shuffles of the confirmation codes and an indicator if the confirmation code was chosen in the election. On the left side of the table there is a pointer to the 44

61 Figure 10. An example of a set of Scantegrity commitment tables from Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes [32] corresponding position in Table Q. On the right side there is a pointer to the location in the results table S. All the pointers are generated pseudorandomly. Each pointer is committed to and also published. Results Table S - The results table S is built during the pre-election process to hold the election results. Each column represents a candidate, and the table is indexed by the pointer from the shuffle table. Only the indicators of which candidates received a vote are listed in the table. See figure 10 for an example of a set of pre-election private mix net tables for three candidates and 5 ballots [32]. 45

62 Figure 11. An example of a set of Scantegrity commitment tables post-election Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes [32] Audit Capability The following audits are available for Scantegrity: Receipt Audit - After the election, the confirmation codes that were selected during the election are exposed in the permuted ballot table Q. The voter s paper receipt should be visible in the decrypted portion of the table. To verify that their confirmation code was used in the election, a voter visits the election website, inputs their ballot serial number and verifies that the confirmation codes on their paper receipt match the confirmation codes on the website. Ballot Audit - To verify the ballots were printed correctly, a voter or an auditor can conduct a ballot audit on election day. To begin a ballot audit, the interested party asks a poll worker for a blank ballot. The poll worker marks a ballot as Audit Ballot and relinquishes it to the auditor. The auditor uses the decoder pen to reveal all the codes on the ballot and takes it home to be later verified against the election website. 46

63 Pre-Election Cut and Choose Audit - This audit, a version of a randomized partial checking (RPC) audit, is conducted during the pre-election process. After all mixnet tables have been built and committed to, half the tables are purposely decrypted and exposed. This makes it possible to verify that the exposed confirmation codes and mix net relationships were built properly. With high probability, the hidden half of the table is now assumed correct [34]. Once this secret data is exposed, it cannot be used in the election. Therefore it is necessary to generate double the number of confirmation codes actually needed in the election when creating the Ballot Table P. Tally Audit - After the election, the results table S is populated with the indicators of the selected confirmation codes. To audit the tally, any auditor can write software to count the flags in each column and compare it to the reported election results. Post-Election Randomized Partial Checking (RPC) Audit - To verify after the election that the mixnet operated properly, the trustees decrypt either the left side or the right side of the shuffle table R making it possible to verify with high probability the relationships were created properly. See figure 11 for an example of a set of post-election private mixnet tables for three candidates and 5 ballots [32] Critique Scantegrity was originally defined to be an add-on to existing optical scanner technology. Since Rhode Island uses optical scanners and our goal is to minimize the impact on Rhode Island s existing system, this is an interesting feature. To meet the requirements of the Tacoma Park Election, it was necessary to build an optical scanner system [31]. Scantegrity also requires a scanner that can read 47

64 ballots with bubbles that contain exposed confirmation codes. In Rhode Island, we use a different type of optical scanner that is based on voter s completing arrows for the candidate of their choice. Scantegrity also requires a specialized ballot creation process much different from our process today. Serial numbers are required on each ballot, as well as ink that conceals confirmation codes. Since each ballot is unique, it significantly complicates our ballot creation process. Serial numbers also open up another set of privacy questions that Rhode Island does not face today. To participate in the audit process, voters are required to tear off a portion of the ballot as well as to write down confirmation codes. This could cause voters to ruin their ballot unintentionally. If the code number is written incorrectly, this causes significant problems with the audit process for all parties involved. Like all cryptographic voting systems we analyzed, if the secret data is compromised, voter privacy is also compromised. In the case of Scantegrity, if the ballot table P is exposed, the confirmation code-candidate relationship is exposed. Scantegrity is complex and would be difficult for the general public to understand. Scantegrity has a lot of interesting features and we look forward to reviewing future versions, but it would not adapt well to the existing Rhode Island system without significant changes. 3.5 Helios Helios is an open-source, internet-based voting system created in 2008 by Ben Adida from Harvard University [6]. The focus of Helios is to provide a purely online election system with a public cryptographic-based auditing capability. A goal of the Helios project is to provide anyone with the ability to set up and conduct a completely online election. Due to the vulnerabilities that exist on the internet, voting online is still 48

65 considered insecure. Adida does not endorse using Helios for elections involving high stakes and may be at risk of cyber attacks. Rather he suggests settings such as schools and online clubs as potential groups who would benefit from conducting trustworthy online elections. In its short life, Helios has had some major triumphs. In March 2009, Helios was deployed successfully in the election of President of the Université Catholique de Louvain in Louvain-la-Neuve, Belgium [7]. Helios was also used to run the Princeton Undergraduate Student Government election in October 2009 [35]. At the time of this writing Helios is in its third iteration (Helios 3). The latest information about the current version of Helios and its latest deployments can be found at heliosvoting.org Ballot Layout The Helios ballot is an online form that is presented to the voter. The voter clicks the check box of the candidate of choice and is walked through the process of confirming the vote and submitting the vote to be audited and then counted. Figure 12 shows the first screen of a Helios ballot. The ballot sent to the server contains the ciphertext for each vote which is an encrypted 0 or 1 and will become part of the homomorphic tally on the server Voter Experience on Election Day Since this is a web-based system, voter authentication is extremely important. To help ensure that eligible voters cast only one ballot in the election, voters must first register. All potential voters are sent an with instructions on how to register for the election. Voters are instructed to go to a website where they will enter their authentication information and receive a voter identification number and password to be used on election day. 49

66 Figure 12. An example of a Helios ballot from Electing a University President using Open-Audit Voting: Analysis of real-world use of Helios [7]. When it is time to cast the ballot, the voter logs on to the website with an address and password. To help prevent cyber attacks, the Helios client side application preloads all of the ballot information and prevents further access to the internet until the ballot is approved and sent to the Helios server. Once all the ballot questions have been answered, the voter s choices are encrypted on the client side with El Gamal encryption and a SHA-1 hash of the cipher text is displayed. The voter is then given the choice to confirm choices or audit the ballot. If an audit is chosen, the randomness used for the encryption is displayed so the voter can re-calculate and verify that the ballot was encrypted properly. There is a ballot encryption verification program provided by Helios or voters can choose to write the code. The voter then re-submits the ballot. A re-encryption occurs and a new hash is displayed. This process can be repeated as many times as a voter wishes. Based on the Benaloh cast-or-audit voting protocol [36], this process is intended to help the voter feel confident that the ballot is being encrypted properly. 50

67 Once ready, the voter casts the ballot. The internet access is activated and the form is sent to the Helios server to become part of the tally Back End Process Before the election, a Helios administrator programs the ballot screens for the client side and adds the registered voters to be used for authentication on the server side. Using a trusted workstation, the private key needed to decrypt the election tally is generated using a distributed group of trustees. The public key for encrypting votes as well as several other election parameters are published Audit Capability Ballot Audit - Voters can choose to audit ballots at the time of voting as described above. To instill confidence that the vote is being cast properly, the voter can audit the ballot as many times as wished. Receipt Audit - A voter receipt consists of a SHA-1 based commitment that was presented to the voter just after the vote was cast. These receipts are published on the election website to be verified by the voters post-election. Tally Audit - The encrypted votes, the decrypted final tally as well as all other election parameters are provided on the election website. Audit code that was written by an independent company to test the decryption code and verify that the tally is correct is available. Auditors are also welcome to write their own verification code. For the UCL election[7], two independently produced election tally and verification codes were written in two different programming languages. 51

68 3.5.5 Critique Since Helios is web-based, it is vulnerable to all the known internet attacks that exist today. The security problems that plague the internet can not be fixed by altering Helios but exist for all online programs [37]. In fact, as part of a research project at the University College London, Helios has already been hacked by the exploitation of a client-side vulnerability [38]. Helios is a complex cryptographic system that is extremely difficult for noncomputer scientists to understand. Universal verifiability relies on the ability of anyone to be able to audit an election. Today, Helios can only be audited by cryptographers capable of writing code that conducts the audit. Voters need to understand encryption to trust their vote was sent to the server without modifications. Internet voting is not a viable solution for Rhode Island at this time, but it should be watched for future consideration. Many of the new election machines from proprietary vendors have internet capability and thus may introduce these issues unintentionally. 3.6 Prêt à Voter Prêt à Voter was originally created by Peter Ryan when at Newcastle University in 2004 [39]. There are currently two research teams working together on Prêt à Voter. The first team is the Secure, Reliable and Trustworthy Voting System Project (SeRTVS) headed up by Peter Ryan, now of the University of Luxembourg [40]. The second team is the Engineering and Physical Sciences Research Council (EPSRC) s Trustworthy Voting System Project from both the University of Surrey and the University of Birmingham [41]. The key technique in this system is the use of a randomized candidate order to provide verifiability while maintaining ballot secrecy. There have been a few 52

69 Figure 13. An example of a Prêt à Voter ballot from iterations of Prêt à Voter as the design enhances. For this analysis we used the most recent paper that also contains a comprehensive summarization of previous versions, The Prêt à Voter Verifiable Voting System [42]. Full details about Prêt à Voter can be found on the website, Ballot Layout The Prêt à Voter ballot consists of two halves that have a perforation running between them. On the left side there is a list of random candidates. The right side holds the actual boxes where the voters choose their candidate and mark the ballot with an ink pen. There is also a 2D bar code that contains information on how to decrypt the candidate order. The key is encrypted in a way that no one person alone can decrypt. See Figure 13 for an example of a Prêt à Voter ballot. 53

70 3.6.2 Voter Experience on Election Day Voters enter the polling place and are instructed how to print their own ballot on demand. In the voting booth, voters print out a randomized ballot and then mark the ballot by making an X in the box to the right of the candidate of choice. Once marked, the left hand strip is detached and discarded (preferably shredded). The remaining right hand strip acts as both the receipt and the ballot. The voter takes the ballot to an optical scanning device where the X s are read along with the serial number on the bottom of the receipt. Voters can then leave the polling place with the right side of the ballot as their receipt. They can then check a bulletin board to make sure their vote was counted and tallied correctly. Since the candidate list was destroyed and the ballots are randomized, the receipt is not enough information for voters to prove how their vote was cast. [5] Back End Process Prêt à Voter s back end process consists of the following: Ballot Creation - The alphabetically ordered candidate list is first cyclically shifted using a predetermined formula. The ballots are then encrypted using a mixnet technique. At the time of this writing, Prêt à Voter is experimenting with both a decryption mixnet and a re-encryption mixnet [42]. Keys are generated for each mix server by either RSA (decryption mixnet) or El Gamal (re-encryption mixnet). There is also work being done to replace these encryption schemes with Paillier [43]. The unique encryption cipher generated by this procedure is printed on the ballot. Ballot Tallying - Before the votes are tallied, the system shuffles the receipts to be sure that the receipts pictured on the bulletin board cannot be linked to the actual votes and then decrypted. Then the votes are decrypted by 54

71 performing the necessary sequence on the mix servers Audit Capability The following audits can be performed for Prêt à Voter: Ballot Audit - Before voting, voters can choose to conduct a ballot form audit. In this case voters print out a blank voting form. The system is instructed to decrypt the candidate list hidden on the right side and show that the list is encrypted properly. In theory, the voter can perform this process as often as desired. This process gives the voter assurance that when he votes, the correct candidate list is indeed encrypted properly on both sides of the ballot. However, the voter is not allowed to use the decrypted ballot to vote. Receipt Audit - After the election, the actual receipts are published on a bulletin board. Voters can verify that their receipts match what appears on the board. If a discrepancy is found the receipt can be used to challenge the election. Tally Audit - Voters can check all the receipts and choose to compare them to the official published election tally (list of decrypted votes) to verify the election outcome. Post-Election Mixnet Audit - To verify that the mixnets work properly, Random Partial Checking (RPC) is used to expose and verify a portion of the mixnet Critique The latest version of Prêt à Voter uses a print-on-demand ballot where voters are required to print the ballot in the voting booth. Just-in-time ballots at the 55

72 polls introduce common printing and user error issues that do not exist today. Prior to casting, voters are required to tear the ballot in two halves which may lead to unintended destruction of ballots. To ensure secrecy, it is necessary to destroy the left side of the ballot. If not strictly enforced, voters are able to retain this information and prove who they voted for during the audit process. Since Rhode Island election law provides that the order of candidates is chosen by the Secretary of State, a randomize candidate list could be used without changing the law. We were intrigued by the use of a random candidate list on the ballot because it promotes fairness among the candidates. This deserves further study. Since voters destroy half the ballot, and take the other half with them, the paper trail is diminished. To perform a recount, this technology relies on optically scanned ballots. As will all cryptographic voting systems presented here, Prêt à Voter stores sensitive data. If the data is decrypted, it compromises the secrecy of an election. 3.7 Other Related Work Several universities are studying various election topics within voting technologies. The topics that most directly relate to this study are election auditing and integrity, vote collection and tabulation, formal security analysis, and scientific evaluations of existing voting machines. A subset of the ongoing work most closely related to the current work is given below. Computer scientists from the University of Connecticut have written several papers concerning the analysis of the memory cards in the AccuVote Optical Scan (AV-OS) tabulators used in Connecticut elections [44] [45]. Funded by the Office of the Connecticut Secretary of State, the Voting Technology Research Center (VoTeR) was founded in This center was established to research, investigate, 56

73 and evaluate voting technology and voting equipment for the State of Connecticut [46]. The scientists at Princeton University proved in a New Jersey courtroom that, given access to a Diebold Accuvote-TS voting system for one minute, they could install malicious code that could alter vote counts and compromise the internal records of the election machine [47]. In 2007, the Florida Department of State commissioned an expert review team from Florida State University to conduct a static software code review of the ES&S ivotronic machine as part of the state s audit process to investigate reported discrepancies in the 13th congressional district race for the US House of Representatives between candidates Vern Buchanan and Christine Jennings [48]. In this case no evidence was found that the ivotronic caused the anomalies seen in this election. At the University of Iowa, computer scientists are studying system event logs of voting machines and recommending what additional information should be collected. They focus on the ES&S ivotronic touch screen interface errors that caused problems in a past election [49]. According to a team of computer scientists from Rice University and Stanford University, the Sarasota County Congressional District 13 election resulted in a 13% undervote and voter complaints that included touch screen insensitivity and slow response times. They concluded that the state did not conduct an extensive audit of what happened in this race, and significant work needed to be performed to analyze both the hardware and software used in this election [50]. The team at Iowa is in the process of building a mock voting system which simulates the errors from this race. They are hoping to recommend improvements for touch screen machines [49]. 57

74 List of References [1] D. Chaum, Untraceable electionic mail, return addresses, and digital pseudonyms, Communications of the ACM, vol. 24(2), pp , [2] B. Adida, Advances in cryptographic voting systems, Ph.D. dissertation, Massachusetts Institute of Technology, August [3] M. Jakobsson, A. Juels, and R. L. Rivest, Making mix nets robust for electronic voting by randomized partial checking, in USENIX Security 02, 2002, pp [4] B. Adida. Takoma Park Last accessed on January 4, [Online]. Available: [5] P. Y. Ryan and S. A. Schneider. University of Newcastle and University of Surrey. Prêt à Voter with re-encryption mixes. Last accessed on December 28, [Online]. Available: st/s.schneider/papers/esorics06.pdf [6] B. Adida, Helios: Web-based open-audit voting, in 17th USENIX Security Symposium, July 28-August 1, San Jose, CA, [7] B. Adida, O. de Marneffe, O. Pereira, and J.-J. Quisquater, Electing a university president using open-audit voting: Analysis of real-world use of Helios, in EVOTE 2009 August , Montreal, Canada, [8] W. Diffie and M. E. Hellman, New directions in cryptography, in IEEE Transactions on Information Theory. IEEE, November 1976, vol. IT-22, pp [9] R. L. Rivest, A. Shamir, and L. M. Adleman, A method for obtaining digital signatures and public-key cryptosystems, in Communications of the ACM. Association of Computing Machinery, February 1978, vol. 21, no. 2, pp [10] R. L. Rivest. MIT lecture 15 for computer and network security: Lecture notes on voting, homomorphic encryption. Last accessed on January 13, [Online]. Available: handouts/l15-voting.pdf [11] E. Oksuzoglu and D. S. Wallach, Votebox nano: A smaller, stronger FPGAbased voting machine (short paper), in EVOTE 2009 August , Montreal, Canada, [12] T. E. Gamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inform. Theory, vol. 31, pp ,

75 [13] P. Paillier, Public-key cryptosystems based on composite degree residuosity classes, in Advances in Cryptology - EUROCRYPT 99, Lecture Notes in Computer Science, J. Stern, Ed. Springer-Verlag, 1999, vol. 1592, pp [14] R. K. Nichols, ICSA Guide to Cryptography. McGraw Hill, [15] R. L. Rivest. RFC the MD5 message-digest algorithm. Last accessed on January 13, [Online]. Available: rfc1321 [16] X. Wang, D. Feng, X. Lai, and H. Yu. Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD. Last accessed on January 13, [Online]. Available: [17] J. Black, M. Cohran, and T. Highland. A study of the MD5 attacks: Insights and improvements. Last accessed on January 13, [Online]. Available: jrblack/papers/md5e-full.pdf [18] P. Jones. RFC US secure hash algorithm (SHA1). Last accessed on January 13, [Online]. Available: rfc3174.html [19] X. Wang, Y. L. Yin, and H. Yu, Finding collisions in the full SHA-1, Lecture Notes in Computer Science, vol. 3621, pp , 2005, last accessed on January 13, [Online]. Available: [20] S. Manuel. Classification and generation of disturbance vectors. Last accessed on January 13, [Online]. Available: /469.pdf [21] National Institute of Standards and Technology (NIST). NIST s policy on hash functions. Last accessed on January 13, [Online]. Available: [22] D. Chaum, R. Carback, J. Clark, A. Essex, S. Popoveniuc, R. L. Rivest, P. Y. Ryan, E. Shen, A. T. Sherman, and P. L. Vora, Scantegrity II: End-to-end verifiability for voters of optical scan elections through confirmation codes, in IEEE Transactions on Information Forensics and Security. IEEE, December 2009, vol. 4, no. 4. [23] G. Brassard, D. Chaum, and C. Crépeau, Minimum disclosure proofs of knowledge, Journal of Computer and System Sciences, vol. 37, pp , [24] R. L. Rivest. MIT lecture 18 for computer and network security: Lecture notes on commitment schemes. Last accessed on January 10,

76 [Online]. Available: ps.gz web.mit.edu/6.857/oldstuff/fall96/lectures/lecture18. [25] A. Essex, J. Clark, and C. Adams, Aperio: High integrity elections for developing countries, in WOTE 2008 IAVoSS Workshop on Trustworthy Elections, Leuven, Belgium July , [26] A. Essex, J. Clark, C. Adams, and U. Hengartner, Eperio: Mitigating technical complexity in cryptographic election verification, in EVTWOTE Electronic Voting Technology Workshop, Aug , Washington DC, [27] D. W. Jones, Some problems with end-to-end voting, in End-to-End Voting Systems Workshop, October 13-14, 2009, Washington DC. University of Iowa, [28] State of Rhode Island General Assembly. Rhode Island General Laws, title 17 - elections - chapter conduct of election and voting equipment, and supplies. Last accessed on December 23, [Online]. Available: [29] K. Fisher, R. Carback, and A. T. Sherman, Punchscan: Introduction and system definition of a high-integrity election system, in Proceedings of the 2006 IAVoSS Workshop on Trushworthy Elections (2006), [30] D. Chaum. The Scantegrity system, an introductory whitepaper and example. Last accessed on January 10, [Online]. Available: [31] R. Carback, D. Chaum, J. Clark, J. Conway, A. Essex, P. S. Herrnson, T. Mayberry, S. Popoveniuc, R. L. Rivest, E. Shen, A. T. Sherman, and P. L. Vora, Scantegrity II municipal election at Takoma Park: The first E2E binding governmental election with ballot privacy, in 19th USENIX Security Symposium, Washington, DC August , [32] D. Chaum, R. Carback, J. Clark, A. Essex, S. Popoveniuc, R. L. Rivest, P. Y. Ryan, E. Shen, and A. T. Sherman, Scantegrity II: End-to-end verifiability for optical scan election systems using invisible ink confirmation codes, in 2008 USENIX/ACCURATE Electronic Voting Technology Workshop, [33] J. Clark, A. Essex, and C. Adams, Secure and observable auditing of electronic voting systems using stock indices, in Proceedings of the 2007 IEEE Canadian Conference on Electrical and Computer Engineering, [34] D. Chaum, R. Carback, A. T. Sherman, A. Essex, J. Clark, S. Popoveniuc, and P. L. Vora, Scantegrity: End-to-end voter-verifiable optical scan voting, in IEEE Security & Privacy. IEEE Computer Society,

77 [35] M. Yaroshefsky. Princeton University Undergraduate Student Government. Guide to Helios. Last accessed on January 5, [Online]. Available: content&view= article&id=230:guide-to-helios&catid=78:elections&itemid=115 [36] J. Benaloh, Ballot casting assurance via voter-initiated poll station auditing, in Proceedings of the 2nd USENIX/ACCURATE Electronic Voting Technology Workshop (EVT 07), Boston, MA., [37] D. Jefferson, A. D. Rubin, B. Simons, and D. Wagner. A security analysis of the secure electronic registration and voting experiment (serve). Last accessed on January 6, [Online]. Available: http: //servesecurityreport.org/ [38] S. Estehghari and Y. Desmedt, Exploiting the client vulnerabilities in internet e-voting systems: Hacking Helios 2.0 as an example, in Proceedings of the EVT/WOTE 10: 2010 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections, August 9-10, Washington DC, [39] P. Y. Ryan. Newcastle University. CS-TR N 864A a variant of the Chaum voter-verifiable scheme. Last accessed on December 29, [Online]. Available: [40] P. Y. Ryan. University of Luxembourg. SeRTVS - secure, reliable and trustworthy voting system. Last accessed on December 29, [Online]. Available: uni.lu/interdisciplinary centre for security reliability and trust/research/ research projects/sertvs secure reliable and trustworthy voting system [41] University of Surrey and University of Birmingham. Trustworthy voting system. Last accessed on December 29, [Online]. Available: [42] P. Y. Ryan, D. Bismark, J. Heather, S. Schneider, and Z. Xia. The Prêt à Voter verifiable election system. Last accessed on December 28, [Online]. Available: PretaVoter2010.pdf [43] Z. Xia, S. A. Schneider, J. Heather, and J. Traoré, Analysis, improvement and simplification of Prêt à Voter with Paillier encryption, in Proceedings of the 3rd USENIX/ACCURATE Electronic Voting Technology Workshop (EVT 08), San Jose, CA., [44] S. Davtyan, S. Kentros, A. Kiayias, L. Michel, N. Nicolau, A. Russell, A. See, N. Shashidhar, and A. A. Shvartsman, Pre-election and post-election audit of optical scan voting terminal memory cards, in 2008 USENIX/ACCURATE 61

78 Electronic Voting Technology Workshop. UCONN Voting Technology Research Center, University of Connecticut, [45] A. Shvartsman, A. Kiayias, L. Michel, A. Russell, T. Antonyan, S. Davtyan, S. Kentros, and N. Nicolaou. UCONN Voting Technology Research Center. Post-election audit of memory cards for the November 2008 elections. Last accessed on December 27, [Online]. Available: assets/1/page/post-election%20audit%20of%20memory%20cards%20for% 20the%20November%202008%20Presidential%20Elections.pdf [46] A. Shvartsman, A. Kiayias, L. Michel, A. Russell, T. Antonyan, S. Davtyan, S. Kentros, and N. Nicolaou. UCONN Voting Technology Research Center. Statistical analysis of the post-election audit data 2010 August primary election. Last accessed on December 27, [Online]. Available: voting%20system%20reports%20uconn%20voting%20center%20analysis% 20of%20post%20election%20audit%20data%20october%2026% pdf [47] E. W. F. Ariel J. Feldman, J. Alex Halderman, Security analysis of the Diebold AccuVote-TS voting machine, in USENIX 2006 Security Symposium. Princeton University, 2006, last accessed on December 27, [Online]. Available: [48] A. Yasinsac, D. Wagner, M. Bishop, T. Baker, B. de Mederiros, G. Tyson, M. Shamos, and M. Burmester. Security and Assurance in Information Technology Laboratory, Florida State University. Software review and security analysis of the ES&S ivotronic voting machine firmware. Last accessed on December 27, [Online]. Available: [49] D. J. A. Mascher, P. Cotton, Recommendations for voting system event log contents and semantics, in NIST Workshop on a Common Data Format for Electronic Voting Systems, Oct 29-30, 2009, [50] D. S. W. David L. Dill. Stanford University and Rice University. Stones unturned: Gaps in the investigation of Sarasota s disputed congressional election. Last accessed on December 27, [Online]. Available: dwallach/pub/sarasota07.pdf 62

79 CHAPTER 4 The WAVERI Election Algorithm The end-to-end cryptographic-based systems reviewed in the previous chapter offer various methods for increased voter verification while introducing many unfamiliar concepts that may be difficult to comprehend. Douglas W. Jones of the University of Iowa, a leading expert on voting systems, made the following observation, I suspect that end-to-end cryptographic voting methods will face significant legal challenges in many states. The fundamental problem is not that these new voting methods are more or less secure than existing methods, but they are different, and they involve mechanisms, notably various cryptographic schemes, that are both hard to understand and not anticipated in current secret ballot law [1]. Based on set theory, the WAVERI (Watch, Audit, Verify Elections for Rhode Island) election algorithm offers a solution that creates a verifiable audit trail without the added complexity associated with cryptographic schemes. In this chapter, the algorithm is presented and critiqued. To demonstrate the WAVERI algorithm, we created a fictitious election consisting of one race between two prominent RI founders, Roger Williams and Anne Hutchinson, to be used as a running example in this study. 4.1 Goals The WAVERI approach is a unique strategy to create an improved election system. The initial goals of the study are as follows: State-Level Approach - States have jurisdiction over the selection of election systems as well as most other aspects of electoral law [2]. Replacing one election technology with another is a huge undertaking with a lot at stake. 63

80 Moving to a new technology could unintentionally introduce new difficulties with little added benefit. Compared with other states, Rhode Island has been conservative and, as a result, has not had many problems with the management of elections. This study begins at the state level and builds the system with our local needs in mind. Most of the recently developed systems are designed to be generic and as a result do not easily fit into a specific environment. To build WAVERI, the Rhode Island process was first analyzed. Aspects of the system that work remain in place, and suggestions for change are made only where needed. Universal Verification - This work describes an audit process that provides strong evidence that votes are included as intended by the voter. It also provides a mechanism for both voter and auditors to verify that all votes exist in the final tally. Open Software - The WAVERI code is written using open standards and is available for public examination. 4.2 Algorithm Overview The WAVERI algorithm offers a unique approach to creating a verifiable audit trail. Prior to election day, the algorithm creates a set of unique audit codes and stores the set on a precinct s election system. The audit code set is not secret data and is published to a public election website. On election day, using a randomized procedure, the algorithm secretly divides the audit code set into a family of disjoint subsets. One subset is generated for each candidate in every race. To keep this data secret, the candidate subsets remain in random access memory and are not stored to disk. In the event of a power outage, 64

81 we will show that this does not cause a problem. When a vote is cast, an audit code is removed from the selected candidate s subset and placed in the used audit code set. There is only one used audit code set maintained on the election system. There is no evidence of which candidate subset the audit code came from. It is safe to expose the audit code to the public. The audit code is printed out for the voter to take home for later verification. After the election, the audit code used set and what remains in the candidate subsets are revealed to be used in auditing. Since the original candidate subsets are never exposed, the audit code never can be linked back to a specific candidate. We will show that the data that remains is enough information to successfully audit the election. 4.3 Ballot Layout One benefit of the WAVERI system is that it is an add-on algorithm that can work with any existing election system. It is unnecessary to create a new ballot format or alter the ballot creation process. There are no added serial numbers and the ballot layout can be totally designed by the Secretary of State s office. The RI ballot previously seen in figure 6 in Chapter 2 could have been used, but to simplify explanation, our own RI Founder Election ballot for a two candidate race was created. Figure 14 shows the ballot that is used for our demonstration. 4.4 Voter Experience on Election Day The voter arrives at the polling place and checks in with the registration desk. The voter is given a ballot in a secrecy sleeve and instructed to go to a voting booth. The voter fills out the ballot. The voter then removes the ballot from the sleeve and inserts the ballot into the voting system. The machine accepts the ballot and, if the ballot is read successfully, the public display counter increases by 65

82 Figure 14. WAVERI RI Founder Election Ballot one [3]. A receipt that lists the precinct number followed by the chosen candidate s audit codes for each race is printed for the voter to take home or give to his/her favorite watch dog group. The audit codes are then published for verification sometime after the election. Figure 15 shows an example of a set of three RI founder election receipts. 4.5 Back End Process The election trustees are responsible for setting up the election parameters at the Board of Elections headquarters as described in Chapter 2. Only the addon WAVERI process is described here. We assume that there is always just one election machine needed per precinct. The process for one election machine with one race of two candidates and the potential for one write-in candidate is described. 66

83 Figure 15. Example of three WAVERI RI Founder Election receipts Pre-Election Setup At the Board of Elections, the election systems are readied for delivery to the precincts. For WAVERI, the audit code set is calculated and stored on the election machine. The following variables are used in our calculations: P denotes the precinct number. Only one precinct will be depicted so P will be set to 1 and assumed where appropriate. B denotes the number of ballots needed for the precinct. It is assumed that the ballot number is given and is close to the number of registered voters in the precinct. N denotes the size of the audit code set that is calculated for the precinct. R denotes the race number. Only one race will be depicted here therefore R will be set to 1. Y r denotes the candidates in the race and is given. X r denotes the candidate subsets needed for each race. Since we need a subset for the write-in candidate and a no vote option, in this example X r = Y r + 2 and is given. 67

84 A r denotes the selected audit code for each race chosen randomly. One set of unique audit codes is required on an election system. Let S denote the set of audit codes which consists of unique numbers ranging from 1 to N S = {1, 2, 3, 4,...N} such that N = 2BX r. The number of audit codes is doubled to allow for a random partial checking audit that is conducted during the post-election audit process. This process will be explained in detail later in the chapter. It was determined that natural numbers are adequate for use as audit codes. In Rhode Island there are approximately 700,000 registered voters and 537 precincts. For each precinct, one or two voting systems is sufficient to handle approximately 1304 voters on average. Given this data, B 10 4 and N Audit codes that range from one to five digits in length are manageable for our study and for WAVERI use in Rhode Island. If necessary, alphanumeric characters may be substituted in the future to reduce the digit length in larger voting populations. Each member of set S is examined to be certain it is unique in the set. To commit S, a SHA-256 hash is taken. Both the hash and the audit code set S are published to the election website and stored on the election system to be delivered to the precinct. RI Founder Election Example - Pre-Election Set-up For the RI founder election, we assume there are three registered voters therefore three ballots are printed. The following steps are taken at the Board of Election headquarters during the pre-election setup process: 68

85 1. Define Initial Variables B = 3 Y r = 2 X r = Y r + 2 = 4 Number of ballots Number of candidates in race Number of candidate subsets (1 write in, 1 no vote) 2. Define audit code set size N N = 2BX r N = 2(3)(2 + 2) = Create audit code set S of size N S = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24}. 4. Take SHA-256 hash of audit code set S and store both hash and S set on the election machine to be taken to the precinct and on the election website. When the election system is booted at the polling site, the WAVERI algorithm is activated. The following procedures are performed by the algorithm on election day before the polls open: 1. Validate Commitment - The hash of the audit code set S is recalculated and compared against the stored hash to verify that the audit code set S has not been compromised. Both hashes are printed for the poll worker s verification. 2. Create Candidate Subsets - The audit code set S is shuffled a random number of times before the algorithm divides S into X r disjoint candidate subsets of size 2B. Let C rx denote a candidate subset. To ensure that the candidate subsets are disjoint, the following calculations are performed: S = C r1 C r2... C rx C r1 C r2... C rx = {} 69

86 Figure 16. Venn diagram of audit code set S with disjoint candidate subsets Election Day Initial Process A candidate subset is created for each candidate. A candidate subset is also created for each write-in candidate. In Vote for One races there is one write-in candidate subset created. In Vote for M races there are M writein candidate subsets created. A candidate subset is also created to record when a voter chooses to under vote. Therefore for each race an audit code is always pulled from one of the candidate subsets. For simplicity, the candidate subsets are assigned to candidates by the order that the candidate name appears on the ballot. The C yr+1 candidate subset represents the write-in candidate and the C yr+2 candidate subset represents a no vote. In the future, a random process could shuffle the candidates first before assigning to candidate pools for added security. 3. Create the used set U. Let U denote the used audit code set for the precinct. 70

87 The used set is initialized to the empty set. U = {} RI Founder Election Example - Election Day Initial Process For the RI founder election, the above audit code set S is shuffled a random number of times such that the candidate subsets C rx are defined as follows: C 11 = {1, 5, 9, 10, 11, 16} Candidate subset of Roger Williams C 12 = {4, 12, 13, 18, 19, 22} Candidate subset of Anne Hutchinson C 13 = {6, 7, 14, 17, 21, 23} Candidate subset of write-in candidate C 14 = {2, 3, 8, 15, 20, 24} Candidate subset of no-vote A Venn diagram is depicted Figure 16. The candidate subsets C rx are kept secret. For this version of the algorithm, C rx resides only in random access memory and is never stored to disk. In the event of a power outage, this does not cause a problem. New candidate subsets are rebuilt upon reboot. The used audit code set U is stored to disk therefore all the used audit codes are known. New candidate subsets are simply re-created by subtracting the used audit code set U from the audit code set S and randomly redistributing the remaining audit codes into candidate subsets C rx. Later in this study we experiment with storing C rx to disk and securing it cryptographically Election Day Voting Process Once voting begins, the WAVERI algorithm is responsible for creating the audit trail. When a vote is cast, an audit code A r is removed from the selected 71

88 Figure 17. WAVERI RI Founder Election Cast Ballots candidate s subset C rx and placed in the used audit code set U. After the audit code A r leaves the candidate subset C rx, there is no evidence of which candidate set the audit code A r originated. Therefore exposing the used set U or the used audit codes does not reveal any secret information. The used audit set U is updated after each vote and stored to the hard drive. A receipt (see Figure 15) that lists the precinct number P and audit code A r is then printed out for the voter to take home for later verification. At the end of the election, the used audit code set U holds all audit codes that have been chosen from all candidate subsets. RI Founder Election Example - Election Day Voting Process On election day, the three voters in the precinct show up to the polls. For demonstration purposes we assume the following votes are cast. Figure 17 depicts the filled in ballots for this election. 1. First Vote - Vote for Anne Hutchinson An audit code A 11 is removed from C 12 and moved to the used set U. Assume A 11 is randomly chosen as 19 from the C 12 subset. C rx and U are now defined as follows: C 11 = {1, 5, 9, 10, 11, 16} Candidate subset of Roger Williams 72

89 C 12 = {4, 12, 13, 18, 22} Candidate subset of Anne Hutchinson C 13 = {6, 7, 14, 17, 21, 23} Candidate subset of write-in candidate C 14 = {2, 3, 8, 15, 20, 24} Candidate subset of no-vote U = {19} Used audit code set 2. Second Vote - No Vote - The second voter decides to cast an empty ballot. An audit code A 21 is removed from C 14 and moved to the used set U. Assume A 21 is randomly chosen as 15 from the C 12 subset. C rx and U are now defined as follows: C 11 = {1, 5, 9, 10, 11, 16} Candidate subset of Roger Williams C 12 = {4, 12, 13, 18, 22} Candidate subset of Anne Hutchinson C 13 = {6, 7, 14, 17, 21, 23} Candidate subset of write-in candidate C 14 = {2, 3, 8, 20, 24} Candidate subset of no-vote U = {19, 15} Used audit code set 3. Third Vote - Vote for Anne Hutchinson Another vote comes in for Anne Hutchinson, therefore an audit code A 31 is removed from C 12 and moved to the used pool U. Assume A 31 is randomly 73

90 chosen as 4 from the C 12 subset. C rx and U are now defined as follows: C 11 = {1, 5, 9, 10, 11, 16} Candidate subset of Roger Williams C 12 = {12, 13, 18, 22} Candidate subset of Anne Hutchinson C 13 = {6, 7, 14, 17, 21, 23} Candidate subset of write-in candidate C 14 = {2, 3, 8, 20, 24} Candidate subset of no-vote U = {19, 15, 4} Used audit code set After each vote the candidate subsets C rx remain secret in memory, while the used pool U is stored to disk. The voter receipts are printed out as depicted in Figure 15. A Venn diagram after the vote is illustrated in Figure Post-Election Process At the end of election day, the poll worker tallies the votes and prints out the total votes cast for each candidate. The WAVERI algorithm saves the remaining candidate subsets C rx to disk. The algorithm then takes a SHA-256 hash (hash recommended by NIST as discussed in Chapter 3) of each candidate subset C rx and used audit code set U and saves each message digest to disk. Each set and the corresponding hash is also printed and becomes part of the poll workers official documentation RI Founder Election Post-Election Example Let V rx denote the votes cast for each candidate in the election. In this precinct we have the following statistics for this election: 74

91 Figure 18. Venn diagram of audit code set S after vote V rx Candidate Total Votes V 11 Roger Williams 0 V 12 Anne Hutchinson 2 V 13 Write in 0 V 14 No votes Audit Capability For WAVERI, the Board of Elections publishes the election s results and the following information for each precinct (see Figure 19): The original audit code set S for each precinct with its SHA-256 message digest. The used audit code set U with its SHA-256 message digest. 75

92 Figure 19. RI Founder Election Results Website 76

93 The audit codes that remain in each of the candidate subsets C rx with their corresponding message digests Receipt Audit The voter receives a printed receipt that lists the precinct number P, followed by the selected candidate s audit code A r for each race as shown in Figure 15. If the voter chooses to participate in the audit process: 1. The precinct number P and audit code A r are looked up in the original set of audit codes S. If A r S, it is verified that A r is a valid audit code for the election. 2. The audit code A r is then looked up in the precinct s used pool U. If A r U, it is verified that A r has been used as part of the tally in this election. The information that links the candidate to the audit code no longer exists in any format. Therefore this audit provides the same level of ballot casting assurance as cryptographic based schemes without the possibility of jeopardizing voter secrecy. RI Founder Election Receipt Audit In the RI founder election, we assume that the first and third voters choose to audit their vote, while the second voter decides to throw the receipt away. The first voter and third voter s receipts indicate an audit code of 19 and 4 respectively. Each voter looks up the audit code on the website which shows the audit code is indeed in the original audit code set S and the used audit code set U for the precinct. Therefore the voters can see that their audit codes have been used in this election: S = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24} 77

94 Voter 1 verifies that 19 S and 19 U. Voter 3 verifies that 4 S and 4 U. U = {19, 15, 4} Tally Audit The WAVERI algorithm has a simple procedure to audit the election results. The audit codes that remain in the candidate subsets are published on the election website. Since the remaining audit codes were not used in the election, voter secrecy is not endangered by revealing them. For our calculation, the following variables are needed: W rx denotes the remaining size of each candidate subset C rx. Q denotes the calculated size of the original candidate subset C rx. V rx denotes the number of votes cast for the candidate. T rx denotes the number of used audit codes for each candidate. N is the size of the audit code set S given on the website. X r is the number of candidate subsets C rx given on the website. website: An auditor can calculate the following using the data from the published 1. The original size of the candidate subsets can be determined by Q = N/X r 2. Calculate the number of used audit codes for each candidate such that T rx = Q W rx 78

95 If T rx = V rx, the number of used audit codes is the same as the number of votes cast for each candidate. This calculation creates another data point and shows strong evidence that the tally is correct. RI Founder Election Tally Audit For the RI founder election, the following steps are performed to conduct a tally audit: 1. Calculate the original size of the candidate subsets Q = N/X r = 24/4 = Calculate W rx, the remaining size of each candidate subset C rx : C 11 = {1, 5, 9, 10, 11, 16} W 11 = 6 C 12 = {12, 13, 18, 22} W 12 = 4 C 13 = {6, 7, 14, 17, 21, 23} W 13 = 6 C 14 = {2, 3, 8, 20, 24} W 14 = 5 3. Calculate T rx by subtracting W rx from the original size of each candidate subset Q: T 11 = Q W 11 = 6 6 = 0 T 12 = Q W 12 = 6 4 = 2 T 13 = Q W 13 = 6 6 = 0 79

96 T 14 = Q W 14 = 6 5 = 1 4. Verify that codes removed from the candidate subsets during the election equal the votes cast (T rx = V rx ): T 11 = 0, V 11 = 0 T 11 = V 11 T 12 = 2, V 12 = 2 T 12 = V 12 T 13 = 0, V 13 = 0 T 13 = V 13 T 14 = 1, V 14 = 1 T 14 = V 14 The math is simple and all the data is provided on the website. Therefore, anyone who is interested may easily perform this audit Randomized Partial Checking Audit The original candidate subsets C rx are created at run time, exist only in memory and are never stored to disk. The WAVERI algorithm verifies its correctness by performing the following calculations at subset creation time: S = C r1 C r2... C rx C r1 C r2... C rx = {} To provide confirmation that the WAVERI algorithm functioned properly and the candidate subsets C rx were created without error, a version of randomized partial checking is implemented [4]. Recall that during the pre-election process, the WAVERI algorithm creates double the number of audit codes and divides them into candidate subsets of size 80

97 Figure 20. Z = S U 2B. Creating a larger than required data set guarantees that each candidate subset has atleast B unused audit codes available to audit after the election. To create the audit trail, each vote triggered an event to remove an audit code A r randomly from the selected candidate s subset C rx and move it to the used subset U. The votes cast cannot be predicted and the audit codes A r are chosen randomly. It can therefore be concluded that the remaining sets were generated by a random process. To apply the randomized partial checking theory, we first verify that the unused audit codes were distributed properly. We then assume that with high probability the used audit codes were also distributed properly. The calculations are as follows: 1. A subset is created that contains the unused audit codes from the election 81

98 (see Figure 20). Let Z denote the unused audit code set such that Z = S U. It can now be shown that Z = C r1 C r2... C rx 2. It is then verified that the remaining candidate subsets are all disjoint C r1 C r2... C rx = {} as depicted in the Venn diagram in Figure 18. Performing the calculations on a subset of the data after the election is a version of randomized partial checking. Proving that the remaining sets are correct provides strong evidence that the original subsets were calculated error free. RI Founder Election Randomized Partial Checking Audit After the RI founder election, the unused audit codes in the candidate subsets are stored to disk as shown in the Venn diagram (Figure 18) and on the election website (Figure 19). From this data, an auditor can verify that all audit codes that remain in the candidate subsets C rx are disjoint and are members of the original audit set S Complete Set Audit After the election, the WAVERI algorithm has the added benefit that there is no secret data to maintain. All audit codes, used or unused, are accounted for after the election and may be used to conduct an audit. If the algorithm behaved correctly, the audit codes from the audit code set S will be a member of either a candidate subset C rx or the used subset U exclusively such that S = U C r1 C r2... C rx 82

99 U C r1 C r2... C rx = {} RI Founder Election Complete Set Audit For the RI founder election it can be easily verified that the above calculations hold by simply gathering data from the election website(see Figure 19) and creating the Venn diagram (Figure 18). 4.7 Critique Many experts have voiced concerns that proposed cryptographic systems such as those described in Chapter 3 are too complex and rely on secret data that must not be revealed or may compromise the election. In this study, we have demonstrated that an audit trail can be created without the use of cryptographicbased schemes or stored secret data. With the WAVERI algorithm, a known vulnerability exists at runtime. The algorithm generates the candidate subsets C rx and keeps this data in RAM only. Although the algorithm performs correctness checks on itself, and the code is open for all to review, there is no mechanism for a second source to verify their creation until after the election with the randomized partial checking audit Cryptographic Scheme Addition An alternative method that would eliminate the runtime vulnerability is to incorporate a cryptographic scheme. In this approach, the candidate subsets C rx are formed during the pre-election process, stored to the election machines and encrypted. The cryptographic scheme adds a new procedure to encrypt and decrypt the candidate sets at both the polls and election headquarters and requires that the secret be shared by a group of trustees to reduce the risk of compromise. For our system, this approach adds complexity with little added value. This enhanced procedure only provides a mechanism to perform a randomized partial checking 83

100 audit on the stored secret data before the election System Crash Since the candidate subsets C rx only exist in RAM, in the event of a system crash, the subsets are lost. This does not cause a problem and does not spoil the audit trail for the election. The used subset U stores the audit codes that have been used in the election. When the system reboots, the algorithm subtracts U from S and uses the remainder to generate new candidate subsets C rx. Redistributing the audit codes to new candidate sets does not cause a problem for the audit and the election can continue without error. List of References [1] D. W. Jones, Some problems with end-to-end voting, in End-to-End Voting Systems Workshop, October 13-14, 2009, Washington DC. University of Iowa, [2] State of Rhode Island General Assembly. Rhode Island General Laws, title 17 - elections - chapter conduct of election and voting equipment, and supplies. Last accessed on December 23, [Online]. Available: [3] M. J. Nunez, Poll Worker Manual, RI Board of Elections, 55 Branch Avenue, Providence RI, [4] M. Jakobsson, A. Juels, and R. L. Rivest, Making mix nets robust for electronic voting by randomized partial checking, in USENIX Security 02, 2002, pp

101 CHAPTER 5 Findings and Testing Our research was conducted in three phases. In the first phase, the most prominent research in election technology was examined. The findings and critique of this investigation are described in Chapter 3 and will not be revisited here. In the second phase, our own election prototype was designed and built based on the WAVERI Algorithm. To create a real world data set to test the prototype, mock elections were held using OpTech III-P Eagle voting systems borrowed from the Rhode Island Board of Elections. In the last phase, forensic technologies were analyzed and a baseline metric was developed to begin a discussion of a formal process to measure forensic capabilities of election machines. 5.1 The WAVERI Prototype The WAVERI prototype was written in Python and built as a stand-alone voting system to test the concept of the WAVERI algorithm. The prototype is capable of conducting elections with up to 7 races having a total of 100 candidates at an unlimited number of precincts. The prototype can perform the following functions (see Figure 21 for the main menu): Set up New Election for Precinct Each precinct has its own set of races and local questions which requires a custom-made ballot, audit code set S, and candidate subsets C rx to be created prior to the election. To calculate the size of the audit code set N, the user is prompted to enter the number of registered voters in the precinct. The ballot and candidate subsets C rx are created by asking a series of questions about the races and candidates. 85

102 Figure 21. WAVERI Prototype Menu Screen In Figure 22 the creation process for a two candidate race with one write-in is shown. Once the ballot is defined and all candidates are known, the set of audit codes S is created and stored to disk by precinct number (see Figure 23). Since this is a prototype built for testing purposes, the candidate audit code subsets C rx are also set up and stored to disk. When WAVERI is used in practice, the candidate audit code subsets C rx will remain only in memory Calculate Live Election The WAVERI prototype is able to simulate live elections. This provides a mechanism to test various scenarios as well as a suitable data entry tool to audit elections. When a live election is started, the prototype first reports the number of registered voters in the precinct (see Figure 24). This number represents the maximum number of votes that can be cast. It then asks for the first vote. The user has the option to vote for a candidate, choose a write-in or under vote. After each vote V rx is recorded, an audit code A r is pulled from the appropriate candidate subset C rx and stored to a receipt file to be analyzed later during the audit process. 86

103 Figure 22. WAVERI Option 1 - Set up New Election for Precinct Figure 23. WAVERI Stored Audit Data 87

104 Figure 24. WAVERI Option 4 - Calculate a Live Election If a write-in is chosen, an audit code is pulled from the appropriate write-in subset and the vote is cast but no name is recorded at this time. This capability could be easily added in the future. In this scenario, the voting continues until the number of registered voters is reached or the user chooses to end the program. When the election is complete, the remaining candidate subsets are stored to disk to be used during the audit process. The election results are then printed to the screen (Figure 25) and stored to disk Calculate Election from Stored Ballots To test various scenarios without reentering the data set, the prototype stores the data created during a live election to disk. The user can choose to re-calculate an election from the stored ballots using this option. 88

105 Figure 25. WAVERI Live Election Results Figure 26. WAVERI Option 3 - Conduct Post Election Audit 89

106 Race 0 - Senator rx V rx W rx T rx Roger Williams Anne Hutchinson Write-in Undervotes Total Table 1. Audit Results - Tally Audit Complete Set Audit Size of Used Pool 3 Total Size of remaining C subsets 21 Total 24 Number of Audit Codes (N) 24 Table 2. Audit Results - Complete Set Audit C C C C U S Table 3. Audit Results - RPC Audit Conduct Post Election Audit from Stored Ballots In the WAVERI election system, all the data necessary to conduct an audit is stored on the election s website. From this data, auditors can perform the audit 90

107 Figure 27. WAVERI Post Election Audit Data themselves by using the software provided or by writing their own code. For the WAVERI prototype, the audits are calculated and the final results are displayed on the screen as shown in Figure 26. The data used to calculate the tally audit, the complete set audit, and the RPC audit is shown in Tables 1, 2 and 3. The prototype conducts the following audits as described in the previous chapter: Tally Audit - For each candidate, the received votes V rx, the number of codes remaining in the subset W rx and the computed tally T rx are displayed. If V rx = T rx, Audit Successful is printed to the screen. Otherwise, Audit Unsuccessful is displayed. RPC Audit - To verify that the candidate subsets C rx were created properly, a randomized partial checking audit is conducted on the remaining data after the election. S = U C 00 C 01 C 02 C 03 C 00 C 01 C 02 C 03 = {} If the audit is successful, RPC Audit Successful is printed to the screen. Otherwise, RPC Audit Unsuccessful is displayed. 91

108 Complete Set Audit - For the prototype, the complete set audit verifies that all audit codes are accounted for by verifying that the size of the audit code set N equals the size of the used subset U and the size of the remaining candidate pools C rx. If the audit is successful, Complete Set Audit Successful is printed to the screen. Otherwise, Complete Set Audit Unsuccessful is displayed. Receipt Audit - For the prototype, all the receipt codes are stored by race number for each precinct (receipt 10.txt in Figure 27). The auditor can verify that each audit code A r in the receipt file is found in the audit code set S (superset data 10.txt in Figure 23) and not in the remaining candidate subsets C rx (remaining pool data 10.txt in Figure 27). 5.2 Mock Election To conduct our mock elections, two OpTech III-P Eagle voting machines were loaned to us by the RI Board of Elections from January 4, 2011 to March 4, The machines were a gift from Michigan to Rhode Island and are kept only for spare parts. It is common practice when states upgrade their machines to either try to sell or give their older equipment away. It is important to note that we were not allowed unsupervised access to machines that are officially used in the Rhode Island voting process. Machines are commonly loaned to high schools and other groups interested in conducting elections. For our election, the memory cartridge on each system was programmed to recognize the Famous Names demonstration ballot (shown in Figure 28 and Figure 29) that is used for machine tests and mock elections. On the front side of the ballot there are four Vote for One races with one write-in candidate slot and one Vote for Three race with three write-in candidate slots. On the back side of the ballot there are two proposition questions with only the choice of yes or 92

109 Figure 28. Demo Ballot Example (front) 93