Brittle and Resilient Verifiable Voting Systems

Similar documents
Leveraging Paper Ballots

Whose Votes (Were) Counted in the Election of 2016?

Get Out The Audit (GOTA): Risk-limiting ballot-polling audits are practical now!

Protocol to Check Correctness of Colorado s Risk-Limiting Tabulation Audit

Risk-Limiting Audits for Denmark and Mongolia

Risk-limiting Audits in Colorado

Colorado Secretary of State Election Rules [8 CCR ]

Sexy Audits and the Single Ballot

Colorado s Risk-Limiting Audits (RLA) CO Risk-Limiting Audits -- Feb Neal McBurnett

Risk-Limiting Audits

Josh Benaloh. Senior Cryptographer Microsoft Research

DIRECTIVE November 20, All County Boards of Elections Directors, Deputy Directors, and Board Members. Post-Election Audits SUMMARY

Thoughts On Appropriate Technologies for Voting

Statement on Security & Auditability

Post-Election Audit Pilots, and New Physical and Cyber Security Requirements in Indiana Election Code

ELECTION VALIDATION PROJECT Increasing Trust in Elections Through Audits, Standards, and Testing

An Overview on Cryptographic Voting Systems

Challenges and Advances in E-voting Systems Technical and Socio-technical Aspects. Peter Y A Ryan Lorenzo Strigini. Outline

The usage of electronic voting is spreading because of the potential benefits of anonymity,

Software Independence

If further discussion would be of value, we stand by ready and eager to meet with your team at your convenience. Sincerely yours,

Secure Electronic Voting

SECURITY, ACCURACY, AND RELIABILITY OF TARRANT COUNTY S VOTING SYSTEM

WHY, WHEN AND HOW SHOULD THE PAPER RECORD MANDATED BY THE HELP AMERICA VOTE ACT OF 2002 BE USED?

COURAGEOUS LEADERSHIP Instilling Voter Confidence in Election Infrastructure

Auditability and Verifiability of Elec4ons Ronald L. Rivest

Arthur M. Keller, Ph.D. David Mertz, Ph.D.

Draft rules issued for comment on July 20, Ballot cast should be when voter relinquishes control of a marked, sealed ballot.

Super-Simple Simultaneous Single-Ballot Risk-Limiting Audits

Swiss E-Voting Workshop 2010

Orange County, CA Pilot Risk-Limiting Audit. December 7, 2018

2010 Pre-election Logic and Accuracy & Post-election Audit Grant Program

H 8072 S T A T E O F R H O D E I S L A N D

The Election Validation Project: Increasing Trust in Elections Through Audits, Standards, and Testing

The California Voter s Choice Act: Managing Transformational Change with Voting System Technology

Ballot Reconciliation Procedure Guide

A paramount concern in elections is how to regularly ensure that the vote count is accurate.

RANKED VOTING METHOD SAMPLE PLANNING CHECKLIST COLORADO SECRETARY OF STATE 1700 BROADWAY, SUITE 270 DENVER, COLORADO PHONE:

Risk-Limiting Post-Election Audits: Statistics, Policy, and Politics

June 4, Wisconsin Elections Commission 212 East Washington Avenue Madison, Wisconsin Dear Commissioners and Administrator Wolfe:

Elections & Electronic Voting Machines

Key Considerations for Implementing Bodies and Oversight Actors

Mecklenburg County Department of Internal Audit. Mecklenburg County Board of Elections Elections Process Report 1476

Experiences as an e-counting election observer in the UK

Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC

STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System

Trusted Logic Voting Systems with OASIS EML 4.0 (Election Markup Language)

Principles and Best Practices for Post-Election Tabulation Audits. Special 2018 MIT Election Audit Summit Preview Edition

STATE OF NEW JERSEY. SENATE, No th LEGISLATURE

L9. Electronic Voting

Volume I Appendix A. Table of Contents

Addressing the Challenges of e-voting Through Crypto Design

Voting Protocol. Bekir Arslan November 15, 2008

REQUESTING A RECOUNT 2018

Machine-Assisted Election Auditing

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

Using automatically created digital ballot images to verify voting-machine output in Wisconsin

Estonian National Electoral Committee. E-Voting System. General Overview

Cuyahoga County Board of Elections

A Secure Paper-Based Electronic Voting With No Encryption

Security of Voting Systems

Percentage-Based versus Statistical-Power-Based Vote Tabulation Audits

An Introduction to Cryptographic Voting Systems

Electronic Voting Machine Information Sheet

VOTERGA SAFE COMMISSION RECOMMENDATIONS

CRYPTOGRAPHIC PROTOCOLS FOR TRANSPARENCY AND AUDITABILITY IN REMOTE ELECTRONIC VOTING SCHEMES

Privacy Issues in an Electronic Voting Machine

The name or number of the polling location; The number of ballots provided to or printed on-demand at the polling location;

Response to the Report Evaluation of Edison/Mitofsky Election System

Applying Visual Management Techniques and Digital Analysis to Post Election Auditing

H 7249 S T A T E O F R H O D E I S L A N D

Testimony of George Gilbert Director of Elections Guilford County, NC

How do I know my vote is safe?

H 5372 S T A T E O F R H O D E I S L A N D

CHAPTER 2 LITERATURE REVIEW

The E-voting Controversy: What are the Risks?

GLOBAL STANDARDS FOR POLITICAL PARTIES

Michigan Election Reform Alliance P.O. Box Ypsilanti, MI

The documents listed below were utilized in the development of this Test Report:

Pennsylvania Needs Resilient, Evidence-Based Elections

Logic & Accuracy Testing

Voting System Examination Election Systems & Software (ES&S)

Maryland State Board of Elections Comprehensive Audit Guidelines Revised: February 2018

Ronald L. Rivest MIT CSAIL Warren D. Smith - CRV

GAO ELECTIONS. States, Territories, and the District Are Taking a Range of Important Steps to Manage Their Varied Voting System Environments

Study Background. Part I. Voter Experience with Ballots, Precincts, and Poll Workers

Electronic Voting: An Electronic Voting Scheme using the Secure Payment card System Voke Augoye. Technical Report RHUL MA May 2013

IC Chapter 15. Ballot Card and Electronic Voting Systems; Additional Standards and Procedures for Approving System Changes

Distributed Protocols at the Rescue for Trustworthy Online Voting

Elections. Mission Statement. Mandates. Expenditure Budget: $1,583,167. General Government Expenditure Budget: $69,278,846

Secure Electronic Voting: New trends, new threats, new options. Dimitris Gritzalis

COMMISSION CHECKLIST FOR NOVEMBER GENERAL ELECTIONS (Effective May 18, 2004; Revised July 15, 2015)

LOS ANGELES COUNTY Registrar-Recorder/County Clerk LAvote.net

SECTION 8. ELECTION AND VOTER REGISTRATION RECORDS

ARKANSAS SECRETARY OF STATE

ARKANSAS SECRETARY OF STATE. Rules on Vote Centers

LOS ANGELES COUNTY Registrar-Recorder/County Clerk MEDIA KIT LAVote.net Nov.6,2018 General Election

Key Considerations for Oversight Actors

RR/CC RESPONSE TO GRAND JURY REPORT

THE NEW MEXICO 2006 POST ELECTION AUDIT REPORT

Transcription:

Brittle and Resilient Verifiable Voting Systems Philip B. Stark Department of Statistics University of California, Berkeley Verifiable Voting Schemes Workshop: from Theory to Practice Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg Luxembourg 21 22 March 2013

Fundamental Rule of Applied Work In theory, there s no difference between theory and practice. But in practice, there is. Jan L.A. van de Snepscheut Fundamental Rule Election Integrity If you tell vendors or LEOs that there are three essential things they must do to ensure integrity, often they will do both of those things.

Fundamental Rule of Election Integrity in Action Recent examples: Clear Ballot, Sacramento County What are the consequences for traditional voting systems? What are the consequences for E2E voting systems?

Wallach s Insight The purpose of an election is to convince the loser he lost. Dan Wallach Evidence-Based Elections Elections officials should provide convincing evidence that the outcomes are right, or say that no such evidence is forthcoming.

(Strong) Software Independence Undetected change or error in its software cannot produce an undetectable change or error in the results (and possible to reconstruct the correct result without re-running the election). Rivest & Wack Property of election, not equipment System can produce wonderful voter-verified paper trail and still not be SI, if paper trail is not curated adequately SSI guarantees that the right outcome can be found without re-running the election, but you still gotta look and do the work

E2E Voter can verify that her vote was counted as cast. Anyone can verify that the published votes were tabulated correctly. Property of election, not equipment

Resilient Canvass Framework Large (minimum) chance that, at the end of the canvass, the declared outcome is correct or a declaration that no such guarantee can be made. Benaloh et al. Capture idea that system should be self-correcting or admit that the perturbation may have exceeded its fault tolerance Property of election, not equipment

What do we want election audits to do? Ensure that the electoral outcome is correct. If outcome is wrong, correct it before it s official.

Risk-limiting Audit Large (minimum) chance of correcting the outcome if the outcome is wrong. Property of audit, not a particular recipe Gives quantitative, statistical evidence Generally relies on random samples from the audit trail Presumes that the audit trail is sufficiently intact that a full hand count would reveal the correct outcome

Compliance Audit Check whether the audit trail is sufficiently intact that a full hand count would show the real outcome. Gives qualitative evidence like legal standards. Convincing to a reasonable person. Ballot accounting, checks of chain of custody, security seals, etc.

Risk-Limiting Audits Guaranteed minimum chance of correcting the outcome if the outcome is wrong Minimum is over all ways the outcome could be wrong: random error, equipment failure, fraud Many ways to accomplish Basic strategies: comparison and ballot-polling

Ballot-polling Audits and Comparison Audits Ballot polling audit: sample ballots until there is strong evidence that looking at all of them would show the same election outcome. Like an exit poll but of ballots, not voters. Comparison audit: 1. Commit to vote subtotals (or CVRs), e.g., precinct-level results 2. Check that the subtotals add up exactly to contest results 3. Check subtotals by hand until there is strong evidence the outcome is right For both, sample size is random: sampling continues until evidence is strong enough. Depends on which ballots are drawn; for comparison audit, depends on errors found.

Ballot polling audit Tradeoffs Virtually no set-up costs Requires nothing of voting system Need a ballot manifest to draw sample Preserves voter anonymity except possibly for sampled ballots Requires more counting than ballot-level comparison audit Does not check tabulation: outcome could be right because errors cancel Comparison audit Heavy demands on voting system for reporting and data export Requires LEO to commit to subtotals Requires ability to retrieve ballots that correspond to CVRs or subtotals May compromise voter privacy Most efficient (ballot-level) not possible w/ current systems: requires rescan Checks tabulation (but not for transitive audits unless subtotals are cross checked as well) Ballot-level comparison audits require least hand counting

Pilot Risk-Limiting Audits 17 pilot audits in CA, CO, and OH; another 13 planned. EAC funding for pilots in CA and CO and Cuyahoga County, OH CO has law; CA has pilot law simple measures, super-majority, multi-candidate, vote-for-n multiple contests audited simultaneously with one sample contest sizes: 200 ballots to 121,000 ballots counting burden: 16 ballots to 7,000 ballots cost per audited ballot: nil to about $0.55 several jurisdictions have audited on their own no statistician required

What hasn t been tried? Cross-jurisdictional contests IRV/RCV

Ballot-polling Audits are often Cheap for Big Contests 255 state-level U.S. presidential contests, 1992 2011, 10% risk limit BPA expected to examine fewer than 308 ballots for half the contests. Work expands as margins shrink, but we could get a lot of election integrity at low cost with any paper-based system.

Workload estimate: Ballot-Polling Audit, 2 Candidates, 10% Risk Limit Winner s Ballots drawn True Share median 90th percentile Mean 70% 22 60 30 65% 38 108 53 60% 84 244 119 58% 131 381 184 55% 332 974 469 54% 518 1,520 730 53% 914 2,700 1,294 52% 2,051 6,053 2,900 51% 8,157 24,149 11,556 50.5% 32,547 96,411 46,126

Making it simple is hard but possible Very simple rules and tools for ballot-level audits Crucial that calculations be simple and reproducible by observers. Have approaches easy enough for pencil and paper. Comparison: At 10% risk, need 5/margin ballots if no errors are found Sample until #good +α 1 #under α 2 #over > α 3 Ballot-polling: sample until α ω 1 αl 2 < ρ (winner, loser) pairs.

Evidence-based Elections Evidence = Auditability + Auditing strongly software-independent voting system compliance audit to check integrity of audit trail: is system still SSI? risk-limiting audit to check outcomes puts incentives in the right place: better procedures and equipment mean less work for LEOs Current elections are procedure-based: equipment certification and election process.

End-to-End Verifiable Elections and Paper Evidence-Based Elections Goal of both is to have convincing evidence that outcomes are right or know that the evidence isn t convincing Differ in the nature of evidence, in who generates the evidence, in whom voters need to trust, and for what they must be trusted Also differ in ability to recover from corruption of portions of the evidence trail Examine differences and impact on strength of evidence and anonymity of votes Suggest ways to combine and to make E2E more resilient

E2E Focus on bulletin-board systems Voter can obtain strong evidence that her vote was cast as intended and counted as cast, and that all posted ballots were correctly tabulated Enforce vote anonymity using cryptography and procedures (voter cannot prove to anyone how she voted) Aggregate votes using homomorphic encryption or mixnet Protect voter privacy using randomized threshold public key encryption (requires collusion among officials to break anonymity)

EBE Focus on paper-based systems with risk-limiting audits Voters can obtain strong evidence that vote was cast as intended Auditors can obtain strong evidence that outcomes are correct Enforce anonymity through equipment and procedures Small lapses can break anonymity to elections officials Some proposals (e.g., posting digital images of all ballots) could break anonymity to the public

E2E v EBE To have strong evidence that outcomes are correct, need evidence that votes were recorded accurately, tabulated accurately, and reported accurately. Voters, public, and elections officials have different roles in that process in E2E and paper-based EBE Examine consequences of the approaches for software independence and strong software independence, privacy, verifiability

What does it take to make an E2E election resilient? Basic E2E like tamper-evident seal: SI, not SSI can tell that something went wrong, but not how badly; generally can t recover How can we enhance basic strategy to make it easier to recover from errors?

Tradeoffs E2E paper own cast as intended self hard voter easy others cast as intended others hard others easy own counted as cast self/public easy auditors easy others counted as cast self/public easy auditors easy only authorized voters self/public hard LEO easy chain of custody versus direct visibility definition of any voter

STAR-Vote Combine crypto with paper Might lose E2E property for some voters, but keep resilient canvass framework Also protects against loss of some paper or loss of some crypto-data

Which really matters? 1. Under laboratory conditions, can the vote tabulation system as delivered from the manufacturer count votes with a specified level of accuracy? 2. As maintained, deployed, and used in the current election, did the vote tabulation system find the true winners? Certification can cost millions and take years. Addresses Q 1. Audits address Q 2.

Role and consequences of certification Current certified systems make audits more expensive and less transparent than necessary. Maintenance costs high; systems not agile; stupefying inertia. Certification still useful for some things, e.g., to ensure accessibility and creation of durable audit trail. Need to push for easily auditable systems using COTS components and free/open/cheap software. Travis County TX and Los Angeles County CA are leaders.

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback