Georgios Tsoukalas, Kostas Papadimitriou, and Panos Louridas, Greek Research and Education Network; Panayiotis Tsanakas, National Technical University of Athens We present Zeus, a verifiable internet ballot casting and counting system based on Helios, in which encrypted votes are posted eponymously to a server, then are anonymized via cryptographic mixing, and finally are decrypted using multiple trustee keys. Zeus refines the original Helios workflow to address a variety of practical issues, such as usability, parallelization, varying election types, and tallying through a separate computing system. In rough numbers, in the first nine months of deployment, Zeus has been used in 60 elections, tallying a total of more than 12000 votes.
Susan Bell, Office of the Travis County Clerk; Josh Benaloh, Microsoft Research; Michael D. Byrne, Rice University; Dana DeBeauvoir, Office of the Travis County Clerk; Bryce Eakin, Independent Researcher; Gail Fisher, Office of the Travis County Clerk; Philip Kortum, Rice University; Neal McBurnett, ElectionAudits; Julian Montoya and Michelle Parker, Office of the Travis County Clerk; Olivier Pereira, Université Catholique de Louvain; Philip B. Stark, University of California, Berkeley; Dan S. Wallach, Rice University; Michael Winn, Office of the Travis County Clerk STAR-Vote is a collaboration between a number of academics and the Travis County (Austin), Texas elections office, which currently uses a DRE voting system and previously used an optical scan voting system. STAR-Vote represents a rare opportunity for a variety of sophisticated technologies, such as end-to-end cryptography and risk limiting audits, to be designed into a new voting system, from scratch, with a variety of real world constraints, such as election-day vote centers that must support thousands of ballot styles and run all day in the event of a power failure. This paper describes the current design of STAR-Vote which is now largely settled and whose development will soon begin.
Kristen K. Greene and Michael D. Byrne, Rice University; Stephen N. Goggin, University of California, Berkeley Despite the importance of usability in ensuring election integrity, it remains an under-studied aspect of voting systems. Voting computers (a.k.a. DREs) offer the opportunity to present ballots to voters in novel ways, yet this space has not been systematically explored. We constructed a DRE that, unlike most commercial DREs, does not require voters to view every race, but instead starts at the “review screen” and lets voters directly navigate to races. This was compared with a more traditional, sequentially-navigated, DRE. The direct access navigation model had two effects, both of which were quite large. First, voters made omission (undervote) errors markedly more often. Second, voters who were free to choose who to vote for chose to vote in substantially fewer races. We also examined the relationship between the true error rate—which is not observable in real elections—and the residual vote rate, a measure of effectiveness commonly used for real elections. Replicating the findings of [Campbell and Byrne 2009a], the mean residual vote rate was close to the mean true error rate, but the correlation between these measures was low, suggesting a loose coupling between these two measures.
Morgan Llewellyn, IMT Institute for Advanced Studies Lucca; Steve Schneider, University of Surrey; Zhe Xia, Wuhan University of Technology; Chris Culnane and James Heather, University of Surrey; Peter Y.A. Ryan, University of Luxembourg; Shriramkrishnan Srinivasan, University of Surrey Proposals for a secure voting technology can involve new mechanisms or procedures designed to provide greater ballot secrecy or verifiability. These mechanisms may be justified on the technical level, but researchers and voting officials must also consider how voters will understand these technical details, and how understanding may affect interaction with the voting systems. In the context of verifiable voting, there is an additional impetus for this consideration as voters are provided with an additional choice; whether or not to verify their ballot. It is possible that differences in voter understanding of the voting technology or verification mechanism may drive differences in voter behaviour; particularly at the point of verification. In the event that voter understanding partially explains voter decisions to verify their ballot, then variance in voter understanding will lead to predictable differences in the way voters interact with the voting technology.
This paper describes an experiment designed to test voters’ understanding of the ‘split ballot’, a particular mechanism at the heart of the secure voting system Prˆet `a Voter, used to provide both vote secrecy and voter verifiability. We used a controlled laboratory experiment in which voter behaviour in the experiment is dependent on their understanding of the secrecy mechanism for ballots. We found that a two-thirds majority of the participants expressed a confident comprehension of the secrecy of their ballot; indicating an appropriate level of understanding. Among the remaining third of participants, most exhibited a behaviour indicating a comprehension of the security mechanism, but were less confident in their understanding. A small number did not comprehend the system. We discuss the implications of this finding for the deployment of such voting systems.
Dalia Khader, Peter Y. A. Ryan, and Qiang Tang, Université du Luxembourg Prêt à Voter is a supervised, end-to-end verifiable voting scheme. Informal analyses indicate that, subject to certain assumptions, Prêt à Voter is receipt free, i.e. a voter has no way to construct a proof to a coercer of how she voted. In this paper we propose a variant of Prêt à Voter and prove receipt freeness of this scheme using computational methods. Our proof shows that if there exists an adversary that breaks receipt freeness of the scheme then there exists an adversary that breaks the IND-CCA2 security of the Naor-Yung encryption scheme.
We propose a security model that defines receipt freeness based on the indistinguishability of receipts. We show that in order to simulate the game we require an IND-CCA2 encryption scheme to create the ballots and receipts. We show that, within our model, a non-malleable onion is sufficient to guarantee receipt freeness. Most of the existing Prêt à Voter schemes do not employ IND-CCA2 encryption in the construction of the ballots, but they avoid such attacks by various additional mechanisms such as pre-commitment of ballot material to the bulletin board, digitally signed ballots etc. Our use of the Naor-Yung transformation provides the IND-CCA2 security required.
Josh Benaloh, Microsoft Research When the Australian secret ballot was introduced in the 1850s, it not only provided privacy for those voters who wanted it, but it also effectively eliminated coercion by allowing no viable means for voters to prove their votes to third parties. In an environment where the privacy of voters is enforced by independent observers, coerced voters could freely express their true preferences while making their selections.
In contrast, modern technologies render the traditional poll-site protections largely ineffective, and the limited remaining options for preserving these protections will almost certainly disappear in the not-too-distant future. Today, in-person voters routinely carry video recording equipment and other technologies that facilitate coercion into polls, and although not yet ubiquitous, inexpensive and unobtrusive wearable video recording devices are readily available. In view of these realities, it is appropriate to re-examine the efforts and countermeasures currently employed and explore what defenses are possible and reasonable against various forms of voter coercion.
Eric Kim, Nicholas Carlini, Andrew Chang, and George Yiu, University of California, Berkeley; Kai Wang, University of California, San Diego; David Wagner, University of California, Berkeley This paper studies how to provide support for ballot-level post-election audits. Informed by our work supporting pilots of these audits in several California counties, we identify gaps in current technology in tools for this task: we need better ways to count voted ballots (from scanned images) without access to scans of blank, unmarked ballots; and we need improvements to existing techniques that help them scale better to large, complex elections. We show how to meet these needs and use our system to successfully process ballots from 11 California counties, in support of the pilot audit program. Our new techniques yield order-of-magnitude speedups compared to the previous system, and enable us to successfully process some elections that would not have reasonably feasible without these techniques.
Duncan A. Buell, University of South Carolina In his State of the Union address, President Obama referred to long lines faced at the polls on November 6, 2012, and said, “we have to fix that.” Although it seems to have received relatively little national attention, Richland County, South Carolina, with more than 12% of its votes cast after polls were officially closed, was probably among the very worst counties in the nation for lines and wait times.
In this paper, we analyze the data from the DREs used for voting in South Carolina, and we compare the voting process in Richland County with that in Greenville County, where there were more total votes and more votes per DRE voting terminal, but where there were fewer than one-half of one percent of the votes cast after closing time.
|
