18269 >> Josh Benaloh: I'm going to talk a little bit about a technology that has a lot of overlap with what Ron just talked about but some crucial differences. I'm terrible with names. Scantegrity is a cool name, best I've got is Verified Optical Scan. I should do better coming up with names. But this is sort of one way of exploiting a paradigm, which I think is very powerful in this area. So let's see. That's the wrong button. Forward. Okay. So here's sort of my fundamental guiding principle in this, in that voter complexity really needs to be minimized. Absolutely minimized. We don't want to burden voters any more than we already do. There's enough problems without any verifiability and confusion. As little as possible to burden voters. But there is attention going the other way, because we want to give voters the capability of verifying their votes. And a lot of systems, it's, okay, now come along, now here's the process you have to go to to get your ballot cast in a verified way. It can add a lot of complexity. So the approach is to make verifiability, make verification an option rather than a part of the system that every voter must go through. And it's not as great as a system where every voter does verify the ballot, every ballot that gets cast. But it seems to get enough, and this is something that Scantegrity is also doing. There was about a 3 percent rate of voter checking I think in the scantegrity case. Some other cases 00 I've seen suggested there might be a higher level of verification, if voters understand the process better or for other means. So we want to give voters the capability in as an unobtrusive a way as possible so that voters who are not desiring of more complexity don't have to be burdened by it. Okay. So what I want to do is describe a cancel challenge paradigm, and this is really -- Ben described it. Ben did me the favor of describing it earlier. So I can go through it more quickly and easily now. But the idea is to allow voters to select their preferences in what I'm describing as a customary fashion. Customary can mean on a DRE, a touch screen voting device, or using an optical scan, bubble sheet ballot, or other means. We don't need to get into the details immediately. This paradigm actually works across many different possibilities. And I'm going to concentrate on the bubble scan optical scan approach. Ben is actually going to be talking about using this in electronic form a little bit later. But whatever you do after you have selected your candidates, selected your preferences, the voter will then get, in some form, an encryption of those selections. And then in one form or another, depending on the specific technology being used, the voter, after everything else is done, after having received a commitment, an encryption of the voter choices, gets some sort of a final question. One more step, which could take the form, roughly, of okay do you want to cast this ballot. Now, David showed this morning if it's asked in the wrong way that extra question can pose a big problem. We want to make sure that voters know they have to get to that point and it's not vote before that. But at the very end, after the commitment, voters are asked, okay, do you want to cast a ballot? And if the answer is no, for any reason at all, either because the voter is particularly wanting to issue a challenge or because the voter realizes, oh, I forgot something, or because the voter is given some feedback that says, wait a minute, this ballot is not exactly what I meant to do, then answering no immediately triggers an audit of the cancelled ballot. It's an automatic process that voters can be aware of but often won't be aware of and don't have to be aware of. Only those who want to use this as a challenge process have to use this cancel as a way of triggering an audit. So now I'm going to talk about how this can be applied specifically in the op scan case, giving some properties similar to Scantegrity. But some crucial differences. So the idea is we start with precinct-based optical scanners, this is something that people are finding is a preferred alternative right now among the nonverified systems. People are moving in droves away from electronic DREs. Other forms of ballots are considered undesirable. Certainly old lever machines we don't see a lot of, and punch cards, no, no, they cannot be used anymore. We wouldn't think of that. We start with precinct optical scanners. When a ballot is read by an optical scanner, then the scanner does two things. It increments the tallies and creates an encrypted copy of the ballot contents, according to the tally that I just encrypted locally. So I'm mentioning this. It's a little unfair. I asked run a question at the end about sort of the reconciliation, because this keeps a very tight binding between the tally that is kept on the scanner and the verified tally, because the encryption is going to match exactly. The scanner is going to read a ballot and say, okay, this is a vote for Alice. Well, a vote for Alice means increment the tally for Alice and create an encryption for a vote for Alice. They're bound very closely together. Once this is done, the scanner will retain a copy of the encrypted ballot to go into sort of the back-end verification process. And provide the voter with a copy of that same encrypted ballot. So the back-end verification, I don't want to worry about now. Ben did a great job this morning about talking about different methods of doing it. We have different ways of doing this. They're very solid right now. There's a publicly verifiable system. Mixing terms again. We're going from end-to-end verifiable to truly verifiable, open audit. Now here I'm using publicly verifiable, is yet another term. We can't yet quite agree on this. We'll see what sticks. But we have some sort of a back-end system that will do the tallying of the verified ballots. So the details of the back end we really don't need to worry about here. It's just whatever encryption we do in front is whatever is necessary in back. But we need voters to be able to verify that their choices, their selections have been encrypted properly. This is where this voter-initiated auditing, this cancel challenge approach works. So voters who want to have their ballots challenged can do so by simply doing a cancel step. So if you cast the ballot, you're done, there's nothing more you have to do. You've got a receipt. You can check that online but you don't have to. But there's also the challenge opportunity. And the key thing here is you can do one or the other, but not both. Because if you can do both, then you're getting an opening, a decryption, a proof of the contents of this ballot, which has also been cast that allows you to take it to a third-party to sell it, be coerced and other things. It's either/or. One of the two, never both. So nice thing about the ballot format -- here's a case where it differs from Scangtegrity, is we can use optical scan ballots exactly as they're used today. We don't need special marks. We don't need special inks. We don't need special pens. The ballots can be identical. We don't need serial numbers or anything to distinguish them. We can use completely identical ballots to what's being done today. And I'll show you where we lose compared to the Scangtegrity on this. But this is a slight benefit. Ideally, a ballot scanner would have certain properties which are very similar to what's found in ballot scanners now. So, first of all, ideally we have a ballot scanner which is capable of reading a ballot's contents and conditionally, depending on those don'ts, spinning it back and rejecting it. Now, we typically have that now to prevent overvoting. That if a ballot scanner determines, wait, you voted twice for this one office, the scanner can reject the ballot and say this ballot is going to be disqualified unless you change it. So this capability already exists. And it's actually very useful here. Other things we'd like to have on the scanner are some sort of a printer to print a receipt for a voter. Now, typically we do find printers on optical scanners, but they're usually sort of in the back for printing the tallies there. But this would make them more accessible, make them available to voters. A small display would be nice. Not required. Often does exist, but not always. Some buttons, accessible to a voter to offer some choices. Again, there are some buttons usually available. But maybe not accessible to voters easily. And one other thing that I think is a very desirable property that is not found on any optical scanners that I know of, it is found in some other voting equipment. And that's the ability to print on to a ballot that has already been submitted. So I want to be able to do what's sometimes called overprinting on to a ballot. And it's not a required thing. But here's why I really want to be able to do it. I want to be able to print directly on to the ballot what the scanner interprets as the contents of that ballot. Now, if you think about this, this is not a privacy violation in any way. This is a I read this ballot as X. X should already be on that ballot. So you're not really compromising the privacy in any way. But you're fixing what the scanner interprets as the contents of the ballot and what will be encrypted and what also goes into the tally. A real advantage of this, aside from any cryptographic or verifiability stuff, is that when you do a recount of the sort that Paul talked about this morning, we had this very elaborate recount five and a half years ago in the state where we counted. We got a tally. We counted again. We got a slightly different tally. We counted a third time, and we got a slightly different tally again, with a different winner the third time. And these are kind of voodoo. Okay. Let's try it again. Let's go from scratch. If we have this kind of overprinting on a ballot, we can say, okay, here's the tally that was done. Now we did a handcount and we see we have differences, and we can look and see exactly where the discrepancies are. These 324 ballots are being counted differently the second time than the first time, look at these particular ballots. These are the discrepancies. Here's why the machine counted it this way and we are now recording it this other way. It allows you to go and very precisely look at where the differences are. And it allows the process to converge instead of just being repeated, which I think is a real benefit. But it remains to be seen. Okay. So if you do this, then the process becomes voter prepares an optical scan ballot in a completely conventional manner. Puts the ballot into a scanner and the scanner will then read the contents and give the voter an encrypted copy, a copy of the encryption of the contents that will eventually be posted in most cases. The voter is given up to three options. The middle option doesn't have to be there, but it can be nice. It can cast the ballot. It can modify the ballot as one possibility. We'll talk about that in a second, or could cancel the ballot and thereby issue a challenge. The cast option is pretty much what you would expect. At that point the scanner's interpretation of the ballot content is printed on to the ballot. And the signature together with a hash of the encryption is put on the paper receipt. Voter takes this receipt home. Voter can check it later. All the back-end stuff is as usual. If we want to make the modify option available, this is probably something where there's a display or some means where the voter can see the scanner's interpretation of the ballot, and the voter can look at the small display. Maybe isolate it so nobody else can see it. And say, wait a minute, this is being interpreted as a vote for McCain, I meant to vote for Obama, modify, cancel, whatever, get me out of here. But some way of checking the interpretation before the final commitment. So that would be a nice thing to be allowed to do, and the voter is then allowed to take the receipt. But nothing is being posted that's saying, okay, go back, restart, do whatever you want to do with this ballot, we're not going to cast this ballot here. The cancel option is what creates the challenge. And the challenge is effectively, okay, open the ballot. Give a verifiable decryption of everything on the ballot. And one extra thing that I want to be able to do, it's not necessary but it's really nice to be able to print on to the ballot void. This ballot has been cancelled or just mark some location that says this ballot is no longer eligible for casting because the thing you want to avoid is, okay, I take this ballot. It's going to be cancelled. Spits back out. It's cancelled. I get a decryption of the contents but I have basically a paper receipt of what this ballot's contents were, and I take the ballot and I immediately issue it again and cast it. And now I effectively have a receipt of what somebody in the back of the polling station might have seen as the ballot I put in, got back and put in again. So I want to be able to say if you cancel it, it really is cancelled, start over. Okay. Verification. I think at this point it's all pretty clear. Voters can check their encrypted ballots are properly posted. Can check all the back-end tallying is done properly. Most voters might do -- some voters might do the first. Few voters will do the second but they might run apps or they might just have people they trust or their political parties or representatives or somebody. And anybody that does it can do all the back-end checking. And that checking, any apps that do checking would also include checking on down at the bottom, any cancelled ballots are really checked there, that's where you get confirmation of the correct encryption. All the voter would take home is a code for any cancelled ballot and check that those codes are properly posted, a fingerprint of some sort. Benefits: There's an additional audit path just like Scangtegrity provides besides the original op scan count. You block some of the conspiratorial threats that you might have if you have a vendor who might have had some sort of a bad count or maybe you think election officials are doing something nefarious in the background. I won't go into a lot of detail but you get rid of that. You can detect inadvertent scanner errors, scanner registration problems. Now you can start to detect in real time during an election rather than finding out later that the scanner was misregistered and counting things badly. There are some threats. I want to sort of rush through so I'm not going to spend a lot of time on this. But, of course, as Ron was saying, cryptographic compromise is a new threat to voter privacy that's added here. If the keys are compromised, if the crypto system is used, whatever the encryption system that's used is compromised then this is another way that one can find out how somebody voted other than what might exist today. So it is a new threat. There are possibilities of covert channels that are created through the encryption. There are some ways of mitigating these. It's a little complicated. I don't want to go into that much here. Coercive threats are possible here. One thing you might not think of immediately is if I get to the scanner and I can see somebody who is coercing me, and that person can signal me somehow to cast or challenge at the very last minute, then I can be coerced by the take your ballot, fill it out the way I want you to fill it out, take it to the scanner and then on my mark cancel, cast, whichever. If I don't know which it's going to be, if I think it might be cancel, then I better have the ballot that you want me to have. So you have to be a little careful about laying out a polling place so that there's some privacy from coercive forces that you don't have the scanner facing an open window or something, the scanner should face sort of a blank wall and nobody could be behind it so I can't be coerced at that time. So some details. These are threats that can be mitigated, can be taken care of, duplication. If the process is done properly, that's not a problem. Some nice things are if you don't have a receipt printer, there are some alternatives. You can just use the hash code. If there's no display available, just buttons are enough. If you don't have overprinting capabilities, then you have to do a little bit more work to save voters, when you've got a ballot that's rejected you just can't resubmit it, you have to walk away with it and at least spend a few minutes, have an opportunity to change it or something like that. A nice thing here is that you can implement a lot of these things without doing full verifiability. So sort of incremental steps towards full verifiability, that have other benefits and other improvements that get there. And eventually, once we have incremental improvements, then we can go -- I guess I'm skipping ahead myself. But can go to the point where you have actually implemented public, truly end-to-end verifiable, verifiability without sacrificing sort of what we have in traditional op scan. So it's an approach that gets us there. Okay. I should stop. Take any questions if there are any. [applause]. >>: So your printer needs to be able to print some and then pause while the voter decides whether to cast or cancel, and then print the corresponding ->> Josh Benaloh: I don't think so. I think the printer, the op scanner needs to be able to accept the ballot, read the ballot, create an encryption. But the printing doesn't have to be done until sort of the last step. And it will print and -- I think print and either cast or reject. But it doesn't have to print and then pause and then maybe do something else. >>: You need the printer to commit to the encryption ->> Josh Benaloh: So the ballot, so the over printer doesn't need to. The receipt printer -- the receipt printer, yes, should print and pause, yes. I'm sorry. I wasn't clear. >>: To address the issue where someone gets back, could you do something where the minute you cancel it goes to a special bucket and [indiscernible]. >> Josh Benaloh: That would be a possibility. It just might be a little bit aggravating if you don't have that -- there are some reasons why you'd like to be able to give back the ballot. But it could go to a separate place. If you want to be able to modify, oh, I made one mistake on this huge ballot. Whoops, sorry, start again. The other reason is you might want to have that as at least partial evidence. I mentioned -- and I didn't get to -- a real benefit that Scangtegrity has is this dispute resolution process. Here, if you've been cheated, if you press the challenge button, the cancel, it would say no, I don't want to cast this vote, and the op scanner says thank you for casting this vote and just sucks it in and votes, you don't have much recourse. You know you've been cheated, but you have no way of proving it. So it's nice if the process could at least, if it's operating properly, give you back the ballot as partial evidence of malfeasance. In some cases -- it doesn't cover the case I just described, but it's nice if it can as a trade-off. >>: Doesn't solve the first problem, but the second problem can be solved, it's still in a box basically says cancel. If it sees it come in again it just won't accept it; the scanner will notice. >> Josh Benaloh: Yeah. Yes, you want to -- yes. In some sense. If you have overprinting. If you can't print on the ballot, then you can take care of the problem of resubmitting the same ballot. That's sort of the -- the initial benefit of overprinting, but there are these other benefits in being able to see what the interpretation of the voter's marks were so that you can reconcile differences more easily. >>: In terms of voiding a ballot, what's cheaper, printing void on it or punching a big hole in it like we did in the past? >> Josh Benaloh: It may be. Instead of overprinting, you might be shredding instead. >>: Very expensive. Punching a hole is much cheaper. >> Josh Benaloh: Yeah. There may be other possibilities there, absolutely. >>: One of the things we learned with the Scangtegrity experience was the issue, sort of the timing. One of the nice things about Op Scan, it's very fast for the voter. The voters are in parallel filling other ballots and scanning. Here you've got a scanner interaction, it's a little bit more complicated. So do you have any feeling for how much impact that might have, have to buy more scanners? >> Josh Benaloh: I don't have a good feeling. I know from my own experiences, in using optical scanners in this state, recently, when they were still available in toll stations in this state, that there were many precincts, sort of very large poll site with one scanner and that scanner was never backed up at all. That scanner -- because it was so quick. And because you spend a lot of -- especially in Washington, you spend a lot of time going through all the bubbles and whatnot. There was never a queue. There was plenty of time on the scanner. >>: Well, I would point out just for those who might be from the East Coast, that also in Washington, one of the reasons maybe why there wasn't a good back-up is even if you had it all in place 70 percent of the people who voted voted by mail. So only 30 percent of the voters who actually went to the polling place. >> Josh Benaloh: Yeah. >>: So my question -- and I'm sure a lot of us are familiar with this system, there's a commercially available system where you stick in a preprinted ballot and it recognizes what that ballot is. You can vote your ballot on a DRE type of interface and it will print on it. >> Josh Benaloh: Valid printer. >>: Yeah. And I think Ron's question kind of hit on it, which -- on the issue I would have, is that that's a very long process. And so I would have a similar question as to how much this process impacts. >> Josh Benaloh: The basic answer is no, I don't have a good feeling for how much. I would guess -- my supposition here would be that most voters put it in. A receipt prints out. Tear off the receipt. Go, and they're gone. One percent of voters challenging, canceling, is plenty. Ten percent would be great. And still I would think that would be a relatively minor burden. There is still some back-up because there's now printing receipt and you need a more reliable printer than you've probably got. And that does take a little bit of time and that can create some confusion. >>: It's an interpreting of the valid ->> Josh Benaloh: That would slow things down far more. The modified choice which I kind of like, but I agree. There are a lot of costs not just financial in offering that option. But I think some benefit, since this scanner is interpreting your ballot. I'd kind of like to know what interpretation it's making. But I don't know if it's the right thing. I don't know if it's the right -- okay. There were some open issues. I don't know if it's appropriate for me to start throwing -- the biggest open issue for me on this is the challenge process. That's lacking here that I know I've been screwed. I have no way of proving it to anybody else that Scangtegrity provides some evidence and this doesn't. That's the biggest thing. But there are some other issues we could talk about. >>: Make sure I understand your proposal. So the ballots are printed uniquely. But they're printed, there's an interpretation. Is there any kind of unique ID then that's printed on the ballot? >> Josh Benaloh: No. >>: So the ballot just has its ovals and its interpretation, but if we want to match up the electronic records with the paper records you can't do that on this basis? >> Josh Benaloh: Well, actually, one possibility would be -- there are variations, of course. One possibility is the encrypted ballot contents are also printed on to the ballot. And then you could do the match-up, one for one. I'm not sure that's necessary. What I want ->>: Looking at the coercion possibility that you were talking about also, somebody was looking at a paper that's identified, a receipt that you could look it up? >> Josh Benaloh: True. That would be a reason not to do that but instead to just have the interpretation of the marks and nothing else, yeah. Okay. So process, probably the thing to do is to take a ten-minute break and let's try to reassume promptly at 2:45 with Ben's talk on Helios.