REVISITING THE U.S. VOTING SYSTEM: A RESEARCH INVENTORY
November 27-28, 2006
Convened by the American Association for the Advancement of Science
Rene Peralta
DIRECTIONS IN E-VOTING TECHNOLOGY
The Help America Vote Act (HAVA) has given NIST a key role in helping to realize nationwide improvements in voting systems. To assist the Election Assistance Commission (EAC) with the development of voluntary voting system guidelines, HAVA established the Technical Guidelines Development Committee (TGDC). NIST research in support of the TGDC includes:
This research must take into consideration the often diverging requirements of accessibility and usability (by both voters and election officials) and security. From the perspective of voter accessibility, paperless direct-recording electronic (DRE) machines offer significant advantages over other voting technologies. This seems also to be the case from the perspective of usability by election officials. However, there is wide agreement in the academic community that it is beyond the state of the art to verify the correctness of large complex programs or to establish that they are free from malicious software. To most, but not all, security experts this implies that we cannot trust stand-alone DREs. By and large, this community has embraced the concept of voter verified paper audit trails (VVPAT) as the straightforward near term “fix” for the security problems of DRE. The result has been laws requiring use of voter verified paper audit trails in many states.
As currently deployed, the VVPAT fix has significant accessibility and usability problems. There is much ongoing debate on this important issue. However, it is also important to look beyond the current state of affairs to technological innovations which might in the end offer a better solution. Below I describe one promising area of research.
End-to-End Systems.
These systems give the voter the ability to verify that his or her vote is included in the final count. To make this verification possible, we generally assume that it is possible to post all votes in a public bulletin board so that anybody can tally them.
The simplest way to achieve this is for the voter to receive, at the time the vote is cast, a receipt for her vote. When all the votes are posted, the voter can verify (using a unique identifier printed both in the receipt and in the posted ballot) that her vote is listed. If it is not, she can present the receipt to a voting authority so that appropriate action can be taken. In order to prevent false receipts from being presented, it must not be possible to forge valid receipts. Fortunately, this is a well-solved problem. VVSG07 will likely require electronic voting units to have strong cryptographic keys. With these keys, the voting units would be able to issue receipts that cannot be forged. This is mature technology already in use for securing financial transactions over the Internet.
Thus, digital signatures and public bulletin boards can be used to enable voters to verify that their votes are counted as cast. We note, however, that this does not by itself allow the voter to verify that all posted votes are valid. Careful monitoring of the number of votes counted at each aggregation level (e.g., the precinct) is still needed. Ballot stuffing can be prevented at the precinct level by the presence of observers who verify that the total number of votes cast is equal to the number of votes posted in the public bulletin board.
Although the method just described may be acceptable by some jurisdictions, we note that it may facilitate coercion as well as allow buying and selling of votes. We now discuss these two problems.
We first note that there is no perfect solution to these problems. There are people who are vulnerable to coercion even if their vote is absolutely secret. Similarly, person A may trust person B to honor a contract to vote a particular way (for a fee). Thus, our goal is to reduce the incidence of coercion and vote buying and selling. From this perspective, it helps that these activities are illegal.
We first consider a number of simple palliative measures:
i) make receipts easily duplicable;
ii) allow voting units to issue valid receipts picked at random from a (sufficiently large) set of previously cast votes;
iii) put an open box near the voting booth were people can drop their receipts and/or take other people’s receipts;
An additional measure is to engineer the voting unit in such a way that issued receipts are shredded (rather than given to the voter) half of the time. In this way, a voter who is being coerced can always claim she voted as ordered to but her receipt was destroyed.
Proper implementation of the above techniques requires careful engineering. For example, in the last technique it is better if the voting unit does not know which receipts get destroyed.
Finally, we note that a variety of combinatorial and/or cryptographic techniques can be used to provide end-to-end verifiable voting. For some of these methods, the mathematics involved is too complex for non-mathematicians to understand. Other end-to-end methods use simple mathematics but require the voter to perform counter-intuitive steps. However, there is no question that these methods are correct and provide end-to-end voter verifiability, and hence offer great promise for the future.
|
|
|
Copyright © 2013. American Association for the
Advancement of Science. All rights reserved. Read our privacy policy and terms of use. Contact info. |
|
|