18271 >> Josh Benaloh: Not knowing when enough is enough, I'm going to reconvene quickly because a few people suggested it. And we've got a couple of quick topics, but we'll make it quick so we can wrap up and move over. So a few people did ask that I just say a little bit about some alternatives. So let me just show a couple of other systems that I think are interesting, and I won't go into too much detail. But one thing that I think is particularly interesting is the [indiscernible] ballot. And Ben did mention this quickly this morning, but this is a very clever idea and one of the things I liked most about it is you can explain it pretty in one sentence to most voters. The basic idea is how do you get the voter verification. Well, here's a ballot, and the only interesting feature about it is that the candidates are randomized differently on each ballot. Well, not on every ballot, but every ballot independently randomizes all the candidates. So voters task here is pretty much to pick the preferred candidate, put an X there, and take advantage of the prescored tear, tear off the left half, throw it away, and this is what's left. This is the receipt. Now, what you do with it is, well, this ID down here, you can explain to a voter this is an encryption of the order of the candidates. So from this value down here, you can actually tell what this vote is and you go through the cryptographic back-end processes. The verification can be very simple. A voter can pick up three ballots and say, okay, open these two. These two open properly. Okay. Now I believe the third one is good, I'll vote on it. Done. Everything works well. It's a very nice system. Also you can do auditing beforehand. Make way more ballots than you need and use some random process to decide to open half the ballots beforehand to do some preauditing, and any leftover ballots at the end, you open them and audit them, too. You have a lot of possibility for auditing this. Another thing, it's a little bit more complicated to go through, but it's a really nice possibility. We kept talking around Mark Pledge a little bit. So I'm going to describe it. This is Andy Neff's track. What this does, unlike any of the other things we talked about, is this allows auditing of the ballot that you actually cast. Instead of the cut and choose types of systems where, okay, those ballots look good so I believe my ballot looks good also, this is your own ballot you can check. And the basic approach is this is a legitimate mark pledge ballot with a vote for David. And the way you know it's a vote for David is all the numbers next to David are the same. Doesn't matter what they are, they're all the same. So you as a voter would interact with the voting booth. This would be done electronically. You tell the voting device I want to cast a vote for David and a ballot would be prepared in this form. So random except for all constant in one realm. That ballot would be prepared. It will then be encrypted and committed to. You'll get an encryption and a hash of that encryption. And then you as a voter get to see the commitment that goes further than that that says that your candidate number is. This is not printed. It's just displayed for you. Your candidate number is 863 or something like that and your challenge as a voter you interact, the voter, basically pick a column, pick a random number, the random number corresponds to the column. The voter challenge is decrypt column number five. Column number five is opened and all the opening is committed to and can be checked off line later. Column number five is open, and you can check that the commitment really does match your candidate at that point. And that way you have some confidence that this ballot does really represent your intentions. Later on, this ballot is going to be fully opened. Not with exactly these numbers. It goes through homomorphic type processes where all the numbers are changed, but the numbers that start out the same end up the same. So it will still be the case that David's row will be constant and you'll look for David. So that's pretty much that there. I guess I'll mention PunchScan quickly. Basically there are a few different -- you've got two pages. And you have a couple of different possibilities here. So the top page might say X is Bob is Y and Alice and bottom page might switch X and Y or the top page might be switched. What you do as a voter you take one of these big bingo daubers and you mark right through and then these things get separated. If you have the two together, you can tell what that's a vote for. But just one serves as a receipt doesn't reveal your vote and goes through a process very similar to this Scantegrity process on the back end. Again I won't go through the details. This is a little bit more cumbersome. This is something that David Jom did a few generations ago. It had some interesting uses. But nothing more. Scantegrity. I can go right past. Free ballot is one of Ron's innovations. Just this is a proof of concept kind of thing, showing you could do this with no cryptography at all. It's not a perfect system by any means. But the idea is roughly you've got three identical ballots. You mark once for the candidates you're not voting for, twice for candidates you are voting for. And so this is over here top of vote for Bob. And down here is a vote for David. When these things are all counted, you get all the right differentials. You just sort of add up the total number of votes and everything works out. If you want you can subtract off one from every candidate and you'll get exactly the right numbers. But the key thing is you can keep one of these as a receipt and one of these things doesn't show how you voted. And there doesn't have to be any cryptography in it. There is some how do you enforce you really did put one or two marks in a row and other such issues. But it's getting at the basic idea. So I don't even have to go through that with verifiability. I just wanted to show a few front ends. And the other thing that has come up Ron was raising the issue of looking at what we can do with remote voting, mail-in voting, especially. We live in a remote voting state. Most of us do. And are there ways that we can get verifiability, get protection from coercion, and still have this mail-in kind of election. And we were bouncing around a few ideas. I don't know, many people are probably aware of this medical anonymization trick, where you're asked a question like: Do you or are you HIV positive, and people would be reluctant to answer, perhaps. So the instructions are, instead, flip a coin at random, if it comes up heads, say yes, I'm HIV positive. If it says no, answer truthfully. If it's tails answer truthfully. You know, one, B, E, whatever. And this is a way that people can answer truthfully and still not risk or not risk nearly as much but revealing their information because if they marked yes I'm HIV positive, they can always say whoa it's just because the coin came up heads that I made that mark. But statistically then you can get a lot of information. Maybe we can do something like that with mail-in voting, where you have access to your votes and your votes might be coerced or you might be able to see how you voted or show somebody else how you voted, but half the votes are randomized and statistically you still get the right count. Probably statistics don't work so much in voting, but maybe there's some cryptographic processes to actually take that out, show that it was done where deterministically exactly half the votes were changed in a very precise way so that it didn't change the results. But you can still show all the pieces were right. Not even a quarter baked at this point. But some thoughts and some things we might want to think about. So anyway, that's sort of to open discussion, we can do it informally or whatever and break up and go around the corner, whatever works. Okay. Anybody want to add anything at the at the end of the day? >>: Yes, I think we should thank Josh. [applause]. >> Josh Benaloh: Thank you, but Seny did a lot of the work. [applause]. >> Josh Benaloh: Okay. Well, we'll sort of officially adjourn. There's food around here. There's apparently food over at Larry's talk and we can keep on talking. Thanks, everyone.