18269
>> Josh Benaloh: I'm going to talk a little bit about a technology that has a lot of overlap with
what Ron just talked about but some crucial differences. I'm terrible with names. Scantegrity is a
cool name, best I've got is Verified Optical Scan. I should do better coming up with names.
But this is sort of one way of exploiting a paradigm, which I think is very powerful in this area.
So let's see. That's the wrong button. Forward. Okay. So here's sort of my fundamental guiding
principle in this, in that voter complexity really needs to be minimized. Absolutely minimized. We
don't want to burden voters any more than we already do. There's enough problems without any
verifiability and confusion. As little as possible to burden voters.
But there is attention going the other way, because we want to give voters the capability of
verifying their votes. And a lot of systems, it's, okay, now come along, now here's the process
you have to go to to get your ballot cast in a verified way. It can add a lot of complexity.
So the approach is to make verifiability, make verification an option rather than a part of the
system that every voter must go through.
And it's not as great as a system where every voter does verify the ballot, every ballot that gets
cast. But it seems to get enough, and this is something that Scantegrity is also doing. There was
about a 3 percent rate of voter checking I think in the scantegrity case. Some other cases 00 I've
seen suggested there might be a higher level of verification, if voters understand the process
better or for other means.
So we want to give voters the capability in as an unobtrusive a way as possible so that voters
who are not desiring of more complexity don't have to be burdened by it.
Okay. So what I want to do is describe a cancel challenge paradigm, and this is really -- Ben
described it. Ben did me the favor of describing it earlier. So I can go through it more quickly and
easily now. But the idea is to allow voters to select their preferences in what I'm describing as a
customary fashion. Customary can mean on a DRE, a touch screen voting device, or using an
optical scan, bubble sheet ballot, or other means.
We don't need to get into the details immediately. This paradigm actually works across many
different possibilities.
And I'm going to concentrate on the bubble scan optical scan approach. Ben is actually going to
be talking about using this in electronic form a little bit later.
But whatever you do after you have selected your candidates, selected your preferences, the
voter will then get, in some form, an encryption of those selections.
And then in one form or another, depending on the specific technology being used, the voter,
after everything else is done, after having received a commitment, an encryption of the voter
choices, gets some sort of a final question. One more step, which could take the form, roughly, of
okay do you want to cast this ballot.
Now, David showed this morning if it's asked in the wrong way that extra question can pose a big
problem. We want to make sure that voters know they have to get to that point and it's not vote
before that.
But at the very end, after the commitment, voters are asked, okay, do you want to cast a ballot?
And if the answer is no, for any reason at all, either because the voter is particularly wanting to
issue a challenge or because the voter realizes, oh, I forgot something, or because the voter is
given some feedback that says, wait a minute, this ballot is not exactly what I meant to do, then
answering no immediately triggers an audit of the cancelled ballot. It's an automatic process that
voters can be aware of but often won't be aware of and don't have to be aware of.
Only those who want to use this as a challenge process have to use this cancel as a way of
triggering an audit. So now I'm going to talk about how this can be applied specifically in the op
scan case, giving some properties similar to Scantegrity. But some crucial differences.
So the idea is we start with precinct-based optical scanners, this is something that people are
finding is a preferred alternative right now among the nonverified systems. People are moving in
droves away from electronic DREs. Other forms of ballots are considered undesirable.
Certainly old lever machines we don't see a lot of, and punch cards, no, no, they cannot be used
anymore. We wouldn't think of that.
We start with precinct optical scanners. When a ballot is read by an optical scanner, then the
scanner does two things. It increments the tallies and creates an encrypted copy of the ballot
contents, according to the tally that I just encrypted locally.
So I'm mentioning this. It's a little unfair. I asked run a question at the end about sort of the
reconciliation, because this keeps a very tight binding between the tally that is kept on the
scanner and the verified tally, because the encryption is going to match exactly.
The scanner is going to read a ballot and say, okay, this is a vote for Alice. Well, a vote for Alice
means increment the tally for Alice and create an encryption for a vote for Alice. They're bound
very closely together.
Once this is done, the scanner will retain a copy of the encrypted ballot to go into sort of the
back-end verification process. And provide the voter with a copy of that same encrypted ballot.
So the back-end verification, I don't want to worry about now. Ben did a great job this morning
about talking about different methods of doing it.
We have different ways of doing this. They're very solid right now. There's a publicly verifiable
system. Mixing terms again. We're going from end-to-end verifiable to truly verifiable, open
audit. Now here I'm using publicly verifiable, is yet another term. We can't yet quite agree on
this.
We'll see what sticks. But we have some sort of a back-end system that will do the tallying of the
verified ballots. So the details of the back end we really don't need to worry about here. It's just
whatever encryption we do in front is whatever is necessary in back.
But we need voters to be able to verify that their choices, their selections have been encrypted
properly. This is where this voter-initiated auditing, this cancel challenge approach works.
So voters who want to have their ballots challenged can do so by simply doing a cancel step. So
if you cast the ballot, you're done, there's nothing more you have to do. You've got a receipt.
You can check that online but you don't have to. But there's also the challenge opportunity. And
the key thing here is you can do one or the other, but not both. Because if you can do both, then
you're getting an opening, a decryption, a proof of the contents of this ballot, which has also been
cast that allows you to take it to a third-party to sell it, be coerced and other things. It's either/or.
One of the two, never both.
So nice thing about the ballot format -- here's a case where it differs from Scangtegrity, is we can
use optical scan ballots exactly as they're used today. We don't need special marks. We don't
need special inks. We don't need special pens. The ballots can be identical. We don't need
serial numbers or anything to distinguish them.
We can use completely identical ballots to what's being done today. And I'll show you where we
lose compared to the Scangtegrity on this. But this is a slight benefit. Ideally, a ballot scanner
would have certain properties which are very similar to what's found in ballot scanners now. So,
first of all, ideally we have a ballot scanner which is capable of reading a ballot's contents and
conditionally, depending on those don'ts, spinning it back and rejecting it.
Now, we typically have that now to prevent overvoting. That if a ballot scanner determines, wait,
you voted twice for this one office, the scanner can reject the ballot and say this ballot is going to
be disqualified unless you change it.
So this capability already exists. And it's actually very useful here. Other things we'd like to have
on the scanner are some sort of a printer to print a receipt for a voter.
Now, typically we do find printers on optical scanners, but they're usually sort of in the back for
printing the tallies there. But this would make them more accessible, make them available to
voters. A small display would be nice. Not required. Often does exist, but not always.
Some buttons, accessible to a voter to offer some choices. Again, there are some buttons
usually available. But maybe not accessible to voters easily.
And one other thing that I think is a very desirable property that is not found on any optical
scanners that I know of, it is found in some other voting equipment. And that's the ability to print
on to a ballot that has already been submitted. So I want to be able to do what's sometimes
called overprinting on to a ballot.
And it's not a required thing. But here's why I really want to be able to do it. I want to be able to
print directly on to the ballot what the scanner interprets as the contents of that ballot.
Now, if you think about this, this is not a privacy violation in any way. This is a I read this ballot as
X. X should already be on that ballot. So you're not really compromising the privacy in any way.
But you're fixing what the scanner interprets as the contents of the ballot and what will be
encrypted and what also goes into the tally. A real advantage of this, aside from any
cryptographic or verifiability stuff, is that when you do a recount of the sort that Paul talked about
this morning, we had this very elaborate recount five and a half years ago in the state where we
counted. We got a tally. We counted again. We got a slightly different tally. We counted a third
time, and we got a slightly different tally again, with a different winner the third time.
And these are kind of voodoo. Okay. Let's try it again. Let's go from scratch. If we have this
kind of overprinting on a ballot, we can say, okay, here's the tally that was done. Now we did a
handcount and we see we have differences, and we can look and see exactly where the
discrepancies are.
These 324 ballots are being counted differently the second time than the first time, look at these
particular ballots. These are the discrepancies. Here's why the machine counted it this way and
we are now recording it this other way.
It allows you to go and very precisely look at where the differences are. And it allows the process
to converge instead of just being repeated, which I think is a real benefit.
But it remains to be seen. Okay. So if you do this, then the process becomes voter prepares an
optical scan ballot in a completely conventional manner. Puts the ballot into a scanner and the
scanner will then read the contents and give the voter an encrypted copy, a copy of the
encryption of the contents that will eventually be posted in most cases.
The voter is given up to three options. The middle option doesn't have to be there, but it can be
nice. It can cast the ballot. It can modify the ballot as one possibility. We'll talk about that in a
second, or could cancel the ballot and thereby issue a challenge. The cast option is pretty much
what you would expect. At that point the scanner's interpretation of the ballot content is printed
on to the ballot. And the signature together with a hash of the encryption is put on the paper
receipt.
Voter takes this receipt home. Voter can check it later. All the back-end stuff is as usual. If we
want to make the modify option available, this is probably something where there's a display or
some means where the voter can see the scanner's interpretation of the ballot, and the voter can
look at the small display. Maybe isolate it so nobody else can see it. And say, wait a minute, this
is being interpreted as a vote for McCain, I meant to vote for Obama, modify, cancel, whatever,
get me out of here.
But some way of checking the interpretation before the final commitment. So that would be a
nice thing to be allowed to do, and the voter is then allowed to take the receipt. But nothing is
being posted that's saying, okay, go back, restart, do whatever you want to do with this ballot,
we're not going to cast this ballot here.
The cancel option is what creates the challenge. And the challenge is effectively, okay, open the
ballot. Give a verifiable decryption of everything on the ballot. And one extra thing that I want to
be able to do, it's not necessary but it's really nice to be able to print on to the ballot void. This
ballot has been cancelled or just mark some location that says this ballot is no longer eligible for
casting because the thing you want to avoid is, okay, I take this ballot. It's going to be cancelled.
Spits back out. It's cancelled. I get a decryption of the contents but I have basically a paper
receipt of what this ballot's contents were, and I take the ballot and I immediately issue it again
and cast it. And now I effectively have a receipt of what somebody in the back of the polling
station might have seen as the ballot I put in, got back and put in again.
So I want to be able to say if you cancel it, it really is cancelled, start over. Okay. Verification. I
think at this point it's all pretty clear. Voters can check their encrypted ballots are properly
posted. Can check all the back-end tallying is done properly. Most voters might do -- some
voters might do the first. Few voters will do the second but they might run apps or they might just
have people they trust or their political parties or representatives or somebody.
And anybody that does it can do all the back-end checking. And that checking, any apps that do
checking would also include checking on down at the bottom, any cancelled ballots are really
checked there, that's where you get confirmation of the correct encryption. All the voter would
take home is a code for any cancelled ballot and check that those codes are properly posted, a
fingerprint of some sort.
Benefits: There's an additional audit path just like Scangtegrity provides besides the original op
scan count. You block some of the conspiratorial threats that you might have if you have a
vendor who might have had some sort of a bad count or maybe you think election officials are
doing something nefarious in the background. I won't go into a lot of detail but you get rid of that.
You can detect inadvertent scanner errors, scanner registration problems. Now you can start to
detect in real time during an election rather than finding out later that the scanner was
misregistered and counting things badly.
There are some threats. I want to sort of rush through so I'm not going to spend a lot of time on
this. But, of course, as Ron was saying, cryptographic compromise is a new threat to voter
privacy that's added here. If the keys are compromised, if the crypto system is used, whatever
the encryption system that's used is compromised then this is another way that one can find out
how somebody voted other than what might exist today.
So it is a new threat. There are possibilities of covert channels that are created through the
encryption. There are some ways of mitigating these. It's a little complicated. I don't want to go
into that much here. Coercive threats are possible here.
One thing you might not think of immediately is if I get to the scanner and I can see somebody
who is coercing me, and that person can signal me somehow to cast or challenge at the very last
minute, then I can be coerced by the take your ballot, fill it out the way I want you to fill it out, take
it to the scanner and then on my mark cancel, cast, whichever.
If I don't know which it's going to be, if I think it might be cancel, then I better have the ballot that
you want me to have. So you have to be a little careful about laying out a polling place so that
there's some privacy from coercive forces that you don't have the scanner facing an open window
or something, the scanner should face sort of a blank wall and nobody could be behind it so I
can't be coerced at that time.
So some details. These are threats that can be mitigated, can be taken care of, duplication. If
the process is done properly, that's not a problem.
Some nice things are if you don't have a receipt printer, there are some alternatives. You can just
use the hash code. If there's no display available, just buttons are enough. If you don't have
overprinting capabilities, then you have to do a little bit more work to save voters, when you've
got a ballot that's rejected you just can't resubmit it, you have to walk away with it and at least
spend a few minutes, have an opportunity to change it or something like that.
A nice thing here is that you can implement a lot of these things without doing full verifiability. So
sort of incremental steps towards full verifiability, that have other benefits and other
improvements that get there. And eventually, once we have incremental improvements, then we
can go -- I guess I'm skipping ahead myself. But can go to the point where you have actually
implemented public, truly end-to-end verifiable, verifiability without sacrificing sort of what we
have in traditional op scan.
So it's an approach that gets us there. Okay. I should stop. Take any questions if there are any.
[applause].
>>: So your printer needs to be able to print some and then pause while the voter decides
whether to cast or cancel, and then print the corresponding ->> Josh Benaloh: I don't think so. I think the printer, the op scanner needs to be able to accept
the ballot, read the ballot, create an encryption. But the printing doesn't have to be done until sort
of the last step. And it will print and -- I think print and either cast or reject. But it doesn't have to
print and then pause and then maybe do something else.
>>: You need the printer to commit to the encryption ->> Josh Benaloh: So the ballot, so the over printer doesn't need to. The receipt printer -- the
receipt printer, yes, should print and pause, yes. I'm sorry. I wasn't clear.
>>: To address the issue where someone gets back, could you do something where the minute
you cancel it goes to a special bucket and [indiscernible].
>> Josh Benaloh: That would be a possibility. It just might be a little bit aggravating if you don't
have that -- there are some reasons why you'd like to be able to give back the ballot. But it could
go to a separate place. If you want to be able to modify, oh, I made one mistake on this huge
ballot. Whoops, sorry, start again. The other reason is you might want to have that as at least
partial evidence.
I mentioned -- and I didn't get to -- a real benefit that Scangtegrity has is this dispute resolution
process. Here, if you've been cheated, if you press the challenge button, the cancel, it would say
no, I don't want to cast this vote, and the op scanner says thank you for casting this vote and just
sucks it in and votes, you don't have much recourse. You know you've been cheated, but you
have no way of proving it.
So it's nice if the process could at least, if it's operating properly, give you back the ballot as
partial evidence of malfeasance. In some cases -- it doesn't cover the case I just described, but
it's nice if it can as a trade-off.
>>: Doesn't solve the first problem, but the second problem can be solved, it's still in a box
basically says cancel. If it sees it come in again it just won't accept it; the scanner will notice.
>> Josh Benaloh: Yeah. Yes, you want to -- yes. In some sense. If you have overprinting. If
you can't print on the ballot, then you can take care of the problem of resubmitting the same
ballot. That's sort of the -- the initial benefit of overprinting, but there are these other benefits in
being able to see what the interpretation of the voter's marks were so that you can reconcile
differences more easily.
>>: In terms of voiding a ballot, what's cheaper, printing void on it or punching a big hole in it like
we did in the past?
>> Josh Benaloh: It may be. Instead of overprinting, you might be shredding instead.
>>: Very expensive. Punching a hole is much cheaper.
>> Josh Benaloh: Yeah. There may be other possibilities there, absolutely.
>>: One of the things we learned with the Scangtegrity experience was the issue, sort of the
timing. One of the nice things about Op Scan, it's very fast for the voter. The voters are in
parallel filling other ballots and scanning. Here you've got a scanner interaction, it's a little bit
more complicated. So do you have any feeling for how much impact that might have, have to buy
more scanners?
>> Josh Benaloh: I don't have a good feeling. I know from my own experiences, in using optical
scanners in this state, recently, when they were still available in toll stations in this state, that
there were many precincts, sort of very large poll site with one scanner and that scanner was
never backed up at all.
That scanner -- because it was so quick. And because you spend a lot of -- especially in
Washington, you spend a lot of time going through all the bubbles and whatnot. There was never
a queue. There was plenty of time on the scanner.
>>: Well, I would point out just for those who might be from the East Coast, that also in
Washington, one of the reasons maybe why there wasn't a good back-up is even if you had it all
in place 70 percent of the people who voted voted by mail. So only 30 percent of the voters who
actually went to the polling place.
>> Josh Benaloh: Yeah.
>>: So my question -- and I'm sure a lot of us are familiar with this system, there's a
commercially available system where you stick in a preprinted ballot and it recognizes what that
ballot is. You can vote your ballot on a DRE type of interface and it will print on it.
>> Josh Benaloh: Valid printer.
>>: Yeah. And I think Ron's question kind of hit on it, which -- on the issue I would have, is that
that's a very long process. And so I would have a similar question as to how much this process
impacts.
>> Josh Benaloh: The basic answer is no, I don't have a good feeling for how much. I would
guess -- my supposition here would be that most voters put it in. A receipt prints out. Tear off the
receipt. Go, and they're gone. One percent of voters challenging, canceling, is plenty. Ten
percent would be great. And still I would think that would be a relatively minor burden.
There is still some back-up because there's now printing receipt and you need a more reliable
printer than you've probably got. And that does take a little bit of time and that can create some
confusion.
>>: It's an interpreting of the valid ->> Josh Benaloh: That would slow things down far more. The modified choice which I kind of
like, but I agree. There are a lot of costs not just financial in offering that option. But I think some
benefit, since this scanner is interpreting your ballot. I'd kind of like to know what interpretation
it's making.
But I don't know if it's the right thing. I don't know if it's the right -- okay. There were some open
issues. I don't know if it's appropriate for me to start throwing -- the biggest open issue for me on
this is the challenge process. That's lacking here that I know I've been screwed. I have no way
of proving it to anybody else that Scangtegrity provides some evidence and this doesn't.
That's the biggest thing. But there are some other issues we could talk about.
>>: Make sure I understand your proposal. So the ballots are printed uniquely. But they're
printed, there's an interpretation. Is there any kind of unique ID then that's printed on the ballot?
>> Josh Benaloh: No.
>>: So the ballot just has its ovals and its interpretation, but if we want to match up the electronic
records with the paper records you can't do that on this basis?
>> Josh Benaloh: Well, actually, one possibility would be -- there are variations, of course. One
possibility is the encrypted ballot contents are also printed on to the ballot. And then you could do
the match-up, one for one. I'm not sure that's necessary. What I want ->>: Looking at the coercion possibility that you were talking about also, somebody was looking at
a paper that's identified, a receipt that you could look it up?
>> Josh Benaloh: True. That would be a reason not to do that but instead to just have the
interpretation of the marks and nothing else, yeah.
Okay. So process, probably the thing to do is to take a ten-minute break and let's try to
reassume promptly at 2:45 with Ben's talk on Helios.