Jan 07 2009
Electronic voting machines were supposed to make elections cheaper, faster, and more secure, but so far they have failed. In the last decade there has been something of a rush to adopt e-voting, followed by suspicion and controversy over the black-box, “just trust us” nature of the first generation of commercial systems, followed by a return to paper ballots in many jurisdictions. However, if we wish to improve election processes, cheap and fast is probably the wrong goal. It may be possible to use cryptographic techniques to implement end-to-end auditable elections, new in human history.
The e-voting fiasco has illustrated that paper ballots are a better system than they might at first seem. Paper preserves voter secrecy, it is auditable after the fact, and it is even reasonably transparent, if one also allows election observers. But paper ballots must be closely guarded and cannot be directly counted by members of the general public, who in the end have no choice but to trust election officials, observers, counting equipment, and the entire chain of custody. Rather than simply duplicating paper ballots electronically, we should strive to improve upon them.
This seems to be possible. Modern cryptography suggests the possibility of a new kind of incredibly transparent and fair election, where ordinary citizens can verify the soundness of the election for themselves, without ever needing to trust blindly that a huge array of machines and people have acted correctly. This represents a fundamentally new ability: for the first time, it may be possible to hold truly “open” elections.
What are we trying to accomplish?
Ideally, a democratic voting system would satisfy the following criteria:
- Secrecy: to prevent coercion or vote-buying, each person’s vote must be secret in perpetuity.
- Transparency: all voting procedures must be public and understandable by everyone.
- Verifiability: it must be possible to independently audit or validate the election results.
- Usability: it must be easy to vote, and cheap to deploy the system for hundreds of millions of voters.
In this way, each person would vote freely, while the entire society could have confidence in the outcome. The difficultly with these criteria is that they conflict: it is hard to preserve both secrecy and verifiability in a simple, transparent way.
Paper ballots fall short of the these ideals in many ways. They are nicely secret, and the process is reasonably transparent as there are public laws describing exactly how the votes are to be tallied, regulations providing for election observers, etc. However, independent audits are not really possible, because they require access to a large quantity of fragile and politically sensitive paper. In principle, we would like it to be possible for any regular citizen with sufficient time on their hands to perform a complete audit of the election results.
Elections results could be openly verified by publishing copies of every ballot cast, but only if there was some way to ensure that these copies were accurate. This could be done by issuing to each citizen to some sort of receipt of their vote which could be checked against the public list, but then votes would not be secret: they could be coerced or bought by offering a clandestine cash reward for receipts.
While paper ballots leave much to be desired, current electronic voting systems are worse. All e-voting machines are essentially “black boxes” that transform the voter’s choice into a final tally by some complex and unknown process. This makes them completely non-transparent. In the worst case, paperless direct recording electronic (DRE) voting machines are not at all verifiable, which makes them subject to both invisible malfunction and deliberate hacking (either in the voting booth or at the tally station.) There has never been a convincingly documented case of miscount or fraud with DRE machines, but that may only be because such machines leave absolutely no record of the election process!
Because of this, many American states now require a paper record even for otherwise electronic machines, but even paper audit trails are problematic: when is an audit performed? Will all ballots be routinely audited or just a sample? What is the right sample size for confidence in the results? What happens if a discrepancy is discovered? Meanwhile, other states have gone back to paper ballots entirely and a number of electronic voting machines have been de-certified.
Enter cryptography, the discipline that has brought us such miracles as secure communication between two parties who have never exchanged any information in secret (public-key cryptography), tamper-proof electronic documents (digital signatures), and the ability to prove that one knows a secret without giving it away (zero-knowledge proofs.) In the wake of these achievements, there has been some hope that proper cryptographic protocols will simultaneously solve the secrecy, transparency, and verifiability issues.
Voting might still be electronic in a cryptographic system, but the security of an election would rest on open cryptographic protocols rather than on trusted system implementations, the physical security of ballot boxes, or the honesty of certain people. Even better, the election results would be auditable at any time from public information, and each voter could verify that their own ballot was correctly recorded yet their personal vote would remain secret and unprovable.
Such a system is said to be end-to-end auditable, and represents a fundamental shift: for the first time, it may be possible to hold completely “open” elections in the sense that governments and election officials would have no more authority or power than ordinary citizens. This is unprecedented in human history, and it is exciting.
It is also quite a trick, and has never been demonstrated in practice. Aside from secrecy, transparency, and verifiability, any proposed cryptographic voting system must guard against many different kinds of attacks. These include tampering and “denial of service” attacks against the election, such as the ability to spoil the election through some sort of interference (as might suit an opposition group) or to arbitrarily declare that it was spoiled in some non-disprovable way (as a dictator might wish to do.)
A Toy Example: ThreeBallot
Like much of modern cryptography, the simultaneous provision of both secrecy and verifiability seems counter-intuitive. To aid in the study and conceptualization of such systems, professor Ron Rivest of MIT (the “R” of RSA fame) invented a “toy” voting system in 2006 called ThreeBallot.
It works like this: each voter is given three identical ballots in the voting booth. To vote for a candidate, the voter writes a mark on two randomly chosen ballots; to vote against a candidate, only one randomly chosen ballot is marked.
A valid vote is one in which each candidate is marked on either one (against) or two (for) randomly selected ballots. This could be checked e.g. by an optical scanning machine, much as paper ballots are currently validated at polling stations.
Then the voter secretly chooses one of the ballots and makes a copy of it as a receipt; the others are dropped into the ballot box. Each of the three ballots has a unique serial number.
After the election, all ballots are published publicly, and anyone can tally the election results from these copies. Additionally, each voter can verify that their ballot was published accurately by looking up their receipt in the published list. Yet there is no way to use a receipt to determine who someone voted for, because the voter can arrange to have any particular set of markings on the receipt that they keep. The receipt also prevents tampering, because a would-be tamperer does not know which of the three ballots the voter has retained. Thus there is a 2-in-3 chance of getting away with tampering with (or deleting) any one vote, but only a (2/3)^N chance of getting away with tampering N votes — like tossing N heads in a row, these are very rapidly shrinking odds.
ThreeBallot was never meant to be a real election system, and in fact in a University class voting experiment ThreeBallot was found to have significant security and usability problems: a third of voters couldn’t produce a correct set of ballots the first time, and a student “attacker” was able to manipulate about 20% of the votes cast, enough to change the election result. He did this in part by clandestinely reading other people’s receipts, such as those left in voting booths or on desks. This reminds us once again that security is always about much, much more than good cryptography.
However, the basic ideas of ThreeBallot — randomness in the vote-casting process, voter receipts, published ballots, and probabilistic tampering detection — are found in virtually all cryptographic voting schemes.
Serious proposals are somewhat more complex. Some are designed to be entirely electronic while others are additions to paper ballot systems. Major proposals include Punchscan (2006) by cryptographer David Chaum, Scantegrity (2007) by David Chaum and Ron Rivest, and Bingo Voting (2008) by a trio of German researchers. All of these systems are very cryptographically clever, but as always, security in the real world is about much more than cryptography. A 2005 paper considered how a real election system employing end-to-end auditable protocols might work, and proposed various non-cryptographic attacks including collection of receipts, social engineering of election workers, and denial-of-service attacks which could invalidate the entire election (such as hacking the voting machines to record spoiled ballots.)
Also, many problems just cannot be solved cryptographically. One major reason why we don’t have internet voting is that it is impossible to prevent coercion and vote buying if voters can mark their ballots at home. A physical polling booth can at least be secured against witnesses — though not against, say, someone who will pay for cell-phone camera pictures of a suitably marked ballot. A completely secure voting system is probably completely impossible.
Nonetheless, there is hope for electronic voting systems, not because they would allow us to vote cheaper or faster or more conveniently, but because they hold the promise of more transparent elections. Would-be designers and implementers of voting systems must realize that the purpose of a voting system is not just to count votes, but to ensure that everyone believes that the process was fair, and to ensure that this fairness can be proved as easily and as widely as possible.