18268
>> Josh Benaloh: Welcome back. I think we're ready to start this afternoon's
session. I think this morning we had a great opportunity to frame a lot of the
issues. This afternoon is going to be more free form.
We're going to explore some of the details of the front end, largely, what the voter
sees and how the voter can participate in a verifiable process, without, hopefully,
it being too onerous on the voter so it really is practical, and see some real
instances of this.
This is going to be started by Ron Rivest, who will talk about some work that has
actually been fielded for Scantegrity and municipal election. Ron, I guess, is sort
of a typical example of somebody who needs no introduction. But, of course,
when one says that an introduction is then obligatory.
So Ron is the R of RSA, which is used by everyone today when they use credit
cards online and such. Has invented many systems. RC-2, 4, 5. MD-2, 4 and 5,
I think. MD-6.
And many, many other things. Not the least of which is the last few years he's
focused some of his attention on voting systems, and we'll hear about
Scangtegrity has gone on now.
>> Ron Rivest: Thanks, Josh. Pleasure to be here. Great to have a voting
workshop. Thanks for putting this together. I think it's great to get together and
talk about voting. It's an exciting area, and it's been hard. And I think we're
making progress on it. I'd like to report today on some progress, what happens
when a bunch of academics get out of the ivy tower and get their hands dirty and
really try to help run an election with one of these systems.
So it actually worked pretty well. I'll tell you about that. So the goal here -- can
we have a screen here? Do I need to do something? There we go.
The goal is to explain to this particular system and explain to you what
happened. Mostly good stuff at the Tacoma Park election November 3rd this
past November where the mayor of Tacoma Park got elected with one of these
systems and six county members. This is a system with a whole lot of people.
David Chalm is the lead and the main innovator of this and I'm one of the
participants in this.
And the key idea of the interface, just to give you a heads up, I think this works.
There we go. So the key thing is when you mark the oval on your op scan ballot,
you see a confirmation code appear here. You see 631 appear there. That's the
main innovation as far as the voter user interface appears. That gets wrapped in
the systems behind the scene to make the accounting verifiable and so on and
so forth. But in some sense that 631 is the encryption of your vote.
So the end-to-end systems are the truly variable systems have been explained
are systems that typically involve a website where stuff gets posted. Stuff that
doesn't reveal exactly how you voted but allow you to check that your vote was
recorded correctly and also allows anybody to check that the tally is correct. We
don't want people selling their votes. You can't post the votes bare form, unless
we give up on privacy altogether and some cryptography is used.
Cryptography here tends to be less mathematical than the stuff that Ben talked
about, as you'll see.
I'd like to think of the verification as involving three parts. If you want to verify all
the way from the voter's head to the other end where the tally is, you want to
verify effectively three things. One that the votes were cast as intended, and the
voter can do that because she knows what she intends. But collected as cast.
Some kind of verifiable chain of custody. And that their count is collected. This
is the tally that needs to be verified as well. Anybody can do the last two, or last
one anyway and the voter can check that her vote was collected as cast.
Voter verified paper trails only checks the first of these. You can see your vote is
correct on the paper. But after that you're depending on the election officials and
so on. The end-to-end systems provide this buzzword software independence
and also verify the chain of custody and a verifiable tally. So Ben gave a nice
overview of the general properties. This is a restatement of those.
So Scangtegrity, this is second iteration of this. I'll just talk about the second
version. So the key philosophy here is you take a standard voting system that
voters are familiar with and you add a layer of mechanism that gives you this
additional verification capability.
So, by and large, this all feels very familiar to the voters. They're taking the
ballots. They're marking ovals. Things get dark when they mark the ovals, and,
by and large, it all works -- in fact one of the problems it was too familiar. Voters
didn't notice the differences in many cases.
They just thought that this was their traditional op scan ballots and the little
numbers that appeared, who cares whatever they are. I don't know. So we
didn't do enough education of the voters about the differences.
So it feels very much like an optical scan system. The new things are it's got
invisible ink for the confirmation code so when you mark the ovals you're using a
special pen that has special ink in it. When you mark the oval, the ballots are
preprinted and sort of reverse font here so that you have a confirmation code of
some sort that appears in the oval.
So you can't mark outside of the ovals in fact. The pens don't make any mark.
You can't circle the candidate's name like you were talking about, Paul, or
anything like that. It's nice in that sense. Gives a nice solid oval when you swipe
them. We had a pen with two tips on it. One was the chisel tip you see here,
allows you to swipe the oval one swipe, makes a nice dark mark. The other was
the fine tip, at the other end, you could turn it around for write-in ballot. We had
write-ins on this election as well.
But the main point is this is like an Op Scan ballot. If you're an election official
that doesn't want to know anything about this new mechanism stuff, you can say
can I get all my traditional stuff? Yes, you can. You can do hand counts. We did
a full hand count afterwards. You can do random sampling and auditing. You
can treat these as ordinary op scan ballots fully and then the additional
mechanisms give you this verification capabilities that we talked about. So we
had a connection with the city of Tacoma Park, which is a very progressive
neighborhood north of Washington D.C.
They were looking for ways of -- they have complicated elections. They've got
IRV and things like that. So they need some interesting technology to support
that. There was a connection with one of the team members with carve-back
with the election officials and that grew into a relationship where we agreed to try
a pilot. And we had a trial election in April and then a -- mock election. Then a
full real election this past November.
So the main thing, as I said, were the interfaces that the special pen marks, the
oval, and shows this confirmation code. So there's some special -- Gallic acid
and some other stuff, special inks that David Chalm can tell you more about.
We're trying to formulate the ink so they don't damage the print heads. We had
problems printing the ballots a little bit.
We had Epson ink jet printers. Took the cartridges and filled up the cartridges
with our inks instead of the standard inks. That worked pretty well, but the print
heads tended to die fairly quickly. We went through a few print heads like that. I
think with the new formulation that will be fixed. These are the things you learn
by doing elections.
Confirmation codes are random. The voter can copy and take them home.
Those are encryptions of her choices, if you like. I think that's the simplest way
with what Ben said. Confirmation codes can be used as encryption unique per
ballot. Each ballot has an identifying number and the combination of the ballot
number and the confirmation code is an encryption of some candidate's name.
The official's post the revealed confirmation codes and the voters can look on the
website after the election closes to see that the ballot, first of all, is recorded as
having been scanned and, second of all, what the confirmation codes that the
voter should have seen.
Now, what's the point of having these confirmation codes revealed like this? The
point is that if the voters sees something that's incorrect, they can protest.
There's a protest protocol. The voter says: You show this confirmation code
instead of that confirmation code. Voters can be malicious here. They can
protest to discredit the election.
And so you'd like to be able to distinguish between a protest where a voter is just
being a troublemaker and a protest where the voter's got a legitimate complaint.
You can tell here with a system like this that the voter has a legitimate complaint
because they know the confirmation code they shouldn't have been able to know
without having actually marked the ballot. That's the point of having the
confirmation code. They're only revealed when you mark them. The voter only
sees confirmation codes that they actually voted for. The fact that they know the
confirmation code is good evidence they actually voted for them and it should
have been posted.
And we had a lot of data how long the confirmation code should be, three digits,
two digits, four digits, six digits, we ended up with three digit codes. Any
questions about that sort of ->>: What happens if someone ruins a ballot, can't take another one because the
confirmation code didn't get counted.
>> Ron Rivest: Spoiling ballots, the usual procedures apply. You turn the ballot
in. It's recorded as spoiled and -- there's also another part of the auditing
procedure where we'll spoil the ballots.
>>: Maybe what wasn't clear is probably the codes are close to one ballot is not
going to be valid for another.
>> Ron Rivest: That was behind your question. I didn't understand. Yes, the
confirmation codes are unique. The random -- I should have said on that line -and unique per ballot, too. In fact, unique across different races. The same
confirmation code doesn't appear on different races on the same ballot.
So there's the limits of my PowerPoint skills. We actually had -- at one point we
had a letter and digit. We switched the three digits.
Seemed like it could be easier for voters to get used to. So here's the
behind-the-scenes stuff. So you see in the interface. So there's this website.
There's this encryption process. The encryption really is a random encryption, if
you will. The confirmation codes are random. So how do they get decoded, if
you will, how do you verify that the decryption is being done properly, that the
tally is right? Here's step one, here's what happens before the scenes before the
election starts.
And I guess -- there's a data structure created. Here's the data structure. It's got
a column here for the ballot. This is a ballot serial number. Another ballot serial
number. Within a ballot there's various confirmation codes that might appear on
these slides I'm using two little digit combinations and the actual election we had
three digit. One in each confirmation code. Corresponds to the ballots print. We
have some intermediate nodes sort of random numbers. Then we have a final
column which has one entry for every ballot entry. So if there's a Tom and a Dick
on the ballot there would be a Tom and Dick that correspond. The
correspondence is indirect, and it goes through this data structure.
The first confirmation code on ballot 251 corresponds to Tom. And the second
confirmation code on ballot 251 corresponds to Dick. This is the
correspondence. The edges in the graph are committed to ahead of time
cryptographically by election officials. We have a cryptographic encryption
procedure. It's basically encryption. You take the pair of things which is the
confirmation code and the ballot number together with this number and you just
encrypt them altogether with a key that's unique to that encryption. And you can
open it later. You're putting it in an envelope. It has two protocols. One is
committing to and the other is encrypting. The other is opening and you can
open it later see what's inside.
So we can see that this edge is there later on. But we're going to hide all these
data structure. And we had a threshold encryption scheme set up. The election
officials, we had four shares. There were four election officials on the board of
elections. They each had to have a password to open their thing. We had a
threshold of two. One of them actually forgot their password. So we only had
three active election officials. But two was all we needed to make it work. That
was fine. It was scary if we lost one.
So this is the data structure. Any questions about this data structure?
So then before the election, this is all committed to. The pile of commitments is
there but the connections are no longer visible anymore. They have to be open
to reveal them. And the ballots are printed, and there's more to say about the
printing process. That needs to be secret as well, right? Because the printer
knows the correspondence here. So that these are underneath the invisible ink.
You can't see them here. But we worried about people being able to tell what the
confirmation codes are without having to reveal them. There's chemicals or
special light you can shine on the ballots. Seems to be pretty good against those
kinds of attacks, but more research could be done there. Anyway, this is the
start of the election. So everything's posted on the Web, all the commitments are
posted. The ballots are printed and we're off and running.
Then the voters vote. The ballots are scanned. The ballots, the scanner is a
traditional Fujitsu desktop scanner. Doesn't do OCR on the confirmation codes.
It just looks at where the ovals are marked. Those get translated into then
positions on the ballots that are posted. So the confirmation codes that should
have been revealed are check marked and decrypted on the website. So the
website, you can see ballot 251 should have revealed F-7. The voter, when she
looks up her ballot, can see that this is the confirmation she should have seen.
So the voter, after she goes home, she's written down on a separate piece of
paper the confirmation code she saw. Took that home. She's got the ballot
number and confirmation code. She looks it up and says they've got my
confirmation number correct. They've recorded the confirmation number I saw.
I'm happy with that. They've got essentially the encrypted value for my vote.
They've got the F7 and voter 302 has her encrypted confirmation code posted
correctly. At this stage the voters have done their part. We've verified that the
vote is intended so the voter knows they marked the oval next to the candidate
name that they liked, and the website is now posting the correct confirmation
code. So we've got the first two steps of verifiability the vote is collected and cast
as intended and collected as cast. And now we want to do the tally.
So this involves essentially a mixed net kind of computation like Ben talked
about. A little bit different. So if you view this thing as a mixed net. This graph
structure maps this F7 to someplace over here. So the election officials who
know the graph structure, or when they combine their thresholds, we compute
this graph structure, know what ought to be checked. If we take the path from F7
to some candidate whatever it was you can check the node along the path. So
the election officials post those check marks, there's some path that goes from
F-7 to one of the candidates. I've checked the vertex along that path. Some
path that goes to this checkmark to this candidate. I've checked every vertex
along that path. We've got to be careful. We don't want to tell the world how
each particular voter voted. So we can't reveal these links. So the voter who
had 251 can see that, yes, indeed this is the path. This is the edge that
corresponds to that, this is the edge that corresponds to that because if you
could trace those paths, all the way across, anybody could sell their vote. You
can see that F7 corresponds to Dick. You're here in case of the small sample,
you know everybody voted for Dick in this election. But there's only two voters,
but you know what I mean.
So here we want to confirm that these two checkmarks here correspond to the
end points of these paths coming from these two checkmarks over here that go
through these two checkmarks without revealing what the paths are. So we want
to have some path checking process that works without showing what the paths
are.
So every edge in this graph needs to be checked, either both end points should
be checked or not. So how do we do that without revealing the paths? So this is
a process called randomized partial checking that Ari Jewels and Marcus Jacobs
and I worked on. And it works as follows.
So we -- I guess before we get to that, you know it's clear once you've got the
checkmarks around, you can do the tally. You can Tom got no notes and Dick
got two votes. So we know that's the alleged tally for this election. Assuming
that the checkmarks are lined up properly, but we have to check that the
checkmarks are lined up properly.
So how do we do that? We start off like this and we go through the middle nodes
one by one. And each middle node is a middle of a path. If it's unchecked it
should connect on the left side to some unchecked node. If it's on the right, it
should also connect to some unchecked node. If it's a checked node it should
connect to a checked mark on each side.
We're going to check for each node half of that so we don't reveal the paths. So
we can check the first node. We actually use stock market prices on the day of
the election to generate pseudo random numbers. And so we took the stock
market of the Dow Jones average in half and hashed that with shot 256 or
something and got a bunch of random bits. So we -- you can argue about
whether that's the best thing to do or not. So that's what we did. We had a
bunch of zeros and ones and the first one was a 1. So this first node we checked
the right-hand side. And so that was a commitment was open. So we can see
now where this edge goes, from this node over to Tom and so both are
unchecked. This is unchecked and that's unchecked so that's cool. We don't
know where it goes the other way, that's okay. So now this node we got a 1. We
look this way. We see it goes down to Dick and this is checked and this is
checked and we go down through all of these nodes, and we're checking
essentially half the edges in this graph. Checking they had checkmarks on both
ends or checkmarks on either end.
And the assertion then is that if somebody was trying to cheat this process, and
have these edges go in screwy ways.
Or put the checkmarks down in a screwy way, so the edges didn't have this
property were checked on both ends or checked on either end, then we would
have a pretty good chance of detecting problems. One edge was wrong. We've
got a half a chance every edge has a half a chance of being examined. So we
would have a good chance of detecting one, if there's more than one, there
would be an overwhelming chance that you'd check them.
So this gives us confidence that the overall tally is correct. We see what's
posted. This is -- these checkmarks are posted. These are opened up. These
edges are opened up. We see where half the edges go. We can check the
checkmarks on both ends of the end points and we can see that everything looks
cool. That the checkmarks seem to be great. But we're not seeing how anybody
voted. We're getting high confidence that this process with the tally is giving us
the right answer without actually seeing how anybody voted. This is F7 checked.
This could have been -- again, we have the small sample.
But maybe I should have done it with a Tom and Dick switched or something.
But you get the idea. Any questions about that? So that's the verification of the
tally. So we have cast as intended. You can see your ballot was marked as you
intended.
There's a step here I need to talk about the printing of the ballots a little more. I
will. Collected as cast. The voter can check that her ballots are posted.
Confirmation codes are posted correctly. So the encrypted choices that she
made make it properly to the website. And then counted as cast. That was the
last thing I explained was how the checking what's posted on the website you
can confirm the tally and see that everything is cool there.
So let me talk about the ballot production, printing, because that also needs
checking. So there's an issue here, ballots are different. They have confirmation
codes on them. They have serial numbers on them. And the voter is trusting
that when she marks a particular confirmation code that it's associated with the
correct candidate. And so you actually need to audit that as well. If the printer
was to switch the confirmation codes in a given ballot you'd have problems.
Or switch the names of the candidates because the voter doesn't see the paths
going through the data structure either and can't check the marks that she sees
on her ballot going all the way to tend. You need to check that the ballots are
printed properly. And so we had the Lilly Coney from the Electronic Privacy
Information Center randomly pick ballots during the day, Mark all of the ovals and
then we would spoil that ballot so it's marked officially as spoiled. And then on
the website we would open all of the commitments and see what went on for
those ballots. You could trace through all the choices for that. You could check
that the data structure is entirely consistent with those battle lots there. We did it
for about 50 ballots during the day. Enough to see if there's any major issues
happening there.
So we did a ballot production check. The checkmark consistency check I talked
about, public tally we talked about there. So that's really what you need to verify
the correctness of the election outcome. We've got cast as intended, collected
as cast. Tallied as collected.
Any questions on -- so a lot of elections, decided by dividing voter intent, and in
this system, given this physical mark on paper, I'm wondering in this election did
you run into any problems where the oval were marked and both of them were
sort of marked?
>> Ron Rivest: These were scanned by Fujitsu scanners. We had -- and so
they were looking for darkened ovals. There was a few cases. We also had
write-ins and things like that.
So I mean the voter intent was more along the lines of somebody checked off a
candidate and then also wrote their name in on the write-in line and checked the
write-in box ovals which is a little different.
>>: People were saying that was a squiggly kind of close to the oval.
>> Ron Rivest: One of the nice things about this you can't write outside the
ovals. And you had the chisel tip for writing inside the ovals broad swath. A little
of that maybe one ballot.
>>: The follow-up question is could this system work electronically where there's
two copies were printed with the codes and used the voter had a chance to
compare their receipt they were going to take home with what the computer
printed and that's the [indiscernible] to give them a choice.
>> Ron Rivest: It would be nice analog sometimes because you have a lot of
issues there. But every piece of equipment you add to a system to make it more
digital in some sense, piece of system you've audited and checked. For
example, the recording of the confirmation codes here we decided to do, have
the voters do that by hand on a separate little piece of paper they had a pad of in
the voting booth and rather than have it printed out because you have to verify
that the printer was doing the right thing another complicated piece of equipment.
The answer is can you do Xs probably yes as a generic answer but you have to
see what extra layers of the system you have to check the parts. Push to keep it
simple. Enough mechanism to verify all the way through.
So more comments. The ballot production is sensitive you need to keep the PDF
files that are secret that the printer -- trusting the printing process. It's not a
question of integrity here. It's a question of privacy. So the ballot printing needs
to be private, because they're unique ballots and you don't want to leak out which
code numbers ended up on which ballots.
We talked about the ballot production being audited. Cony did. And you can
imagine another attack where people, you have to think of all the different ways
somebody might attack the system. As David was going through. Printing
duplicate ballots. It's detectable. Voters both got the same ballot. And they both
checked online T but they happen to vote differently, then one of them would
protest. Things like this you need to think through.
So we actually had a real election. It was great. This is the first U.S.
governmental binding election for one of these end-to-end schemes. There have
been a lot of others as David talked about and Ben mentioned where we've had
organizations. But this is a governmental binding election. There's one poll site.
Six wards. 1722 voters. Just 1 poll site there, so it was a small jurisdiction 66
voters verified online. Which is enough to give some confidence that all the parts
are working as well.
I think a lot of voters, we did some post election surveys. A lot of voters didn't
actually realize they could verify online until later. We had this mock election I
told you and they said what's the problem with this system, because is it really
going to work for voters. And they decided the problem is me. I'm serious. They
had me up in the front desk explaining how the system worked to voters as they
came in. That took far too long.
So that was about eight minutes per voter. So here we got it down to two
minutes per voter by cutting me out of the loop. The consequence was the
voters didn't actually understand what they were doing anymore they didn't get
this nice lecture ahead of time explaining.
So far too many of them didn't realize they could verify online and stuff like that,
even though we had signs up and explanations and things like that.
>>: Could you explain eight minutes for voter it would take you a week.
>> Ron Rivest: Groups like this, stuff like that.
>>: How were absentees.
>> Ron Rivest: Absentees they don't use opinions. But we could have -- great
question does this system work with mail in you could mail them out with the
special pens and then everything's pretty much the same except for the fact you
don't have protection against coercion locally when the voter's voting because
you always have a mail in. The voter can check on line.
>>: You get some information that could got from -- if the white part really comes
out white and you scan it. Can't you probe randomly learn some information
what the numbers are.
>> Ron Rivest: This is the opinion attack, you have various attacks for banks,
kind of pens that are mailed out where people have taken pens and probed
under the scratch surface to see what the font is there. We jittered the
positioning of the confirmation code. This is all sort of academics going
overboard on some of this. But you can actually protect against some of those
things. The real question is whether the technology we've got for printing this
invisible really works against -- it won't work eventually. You can always have
some kind of attack. Mass spectrometer and take micrograms of stuff out of it.
The question is how well does it work. If there's good chemists that want to play
with it, we'd be happy to -- Josh.
>>: Did the final verified tally personally match the op scan tally?
>> Ron Rivest: I think the hand tally, we had a couple of cases where there was
a voter intent issue. Where the op scan the machine said it was illegal voted
twice voting for the candidate and writing in the candidate's name write in. I
haven't talked much about write in. We handled interesting complications when
you get into real elections there's the ST ballots. Early vote so people went early
downtown to vote. Using the pens. Provisional vote. You had to be able to
handle voters who weren't clearly qualified at first then later were.
Spoiled ballots, voters would make mistakes and need to come back and get
another ballot. So you have to mark them as spoiled and we had the ballot
audits, class of spoiled ballots. Privacy sleeves. David Chalm is a fanatic about
privacy, cares that voters not be able to walk around with a bare ballot. They had
to go in a folding black cardboard thing that got stuck in the scanner. The
scanner sucked it out of that. Not something I am used to in Massachusetts. But
protects privacy while you're in a poll site from anybody seeing anything. Write-in
ballots. Special phase after the ballots were scanned to be able to interpret the
write-in. So it was a program there that said this is a ballot with a write-in. There
was a pixel image in the write-in field. And somebody could type in what the
interpretation of that was. And that gets posted, too. You can see what that is.
IRV, instant run-off voting, which is not my favorite election system. But they
wanted to use it there. And so you marked first choice, second choice, third
choice and there's a process of figuring out who wins the election.
External auditors. Ben was one of our external auditors. Ben did a fantastic job
at writing code, understanding all of the system. Writing code. Looked at
everything on the website and checked that it all made sense. And you can look
at his website and see the auditing process. It's all public. It's on the website.
So anybody can look at it and do these checks. And Ben was one of the official
auditors. Phil Surgursky also did some of the similar checks.
We had two scanners with higher through-put. Spanish and English printed on
the ballots, et cetera, et cetera. This is David Chalm with the ballot box. So this
is big sort of laundry bins we bought for ballot boxes after ballot boxes. This is a
desktop Fujitsu scanner hidden in here. This is a custom piece of mechanism
that David got engineered for the things. You slide the slide the ballot with the
privacy sleeve on it. It falls down here. There's a little button that keeps the
privacy sleeve from sliding into the scanner. The ballot goes to the scanner. It
falls into the box. Laptop in this box that does the recording. There's a seal of
the city of Tacoma Park. And a locked ballot box, whatever.
So that was -- this is the ballot itself. So we had, you can see the -- one thing
that wasn't so great was the font on these. The font didn't have as high a
resolution as you like. The one complaint that we had that seemed like it might
be sort of legit or whatever, understandable, was somebody couldn't tell 0 from
an 8. So it was like only one pixel difference from there. So that needs a little
improvement.
But I think that's all doable. Somebody's marking first choice, second choice.
Third choice. If you mark your third choice, you can do a write-in. These are
alignment marks for the scanner. This is the bar code for the serial number, as
well. This is the human readable version of the serial number for the ballot.
Instructions in English. Instructions in Spanish. So you can see this was also -the yellow regions are the ones that are sensitive to the special ink. Write-in area
you could write in. You couldn't write out of that area or the oval. Some of the
issues with ballot printing was challenging. As I mentioned I think the inks
weren't friendly to the print heads. A lot of the voters didn't understand they
could verify online. Long-haired professors talking too much. I take
responsibility. That was the Bach election, though. No special pens for
absentee voters. So the absentee voters could not check online. Other than the
fact that their ballot was -- they couldn't see the confirmation codes. They filled it
in with an ordinary pencil. They could see there were confirmation codes posted.
They were treated like that because the posting of the confirmation codes on the
website didn't depend on doing OCR on the ballots, looking for where the ovals
were dark and translating them back. And so -- but I think if you wanted to do it,
mail in Washington, you would mail in everybody a PIN or something like that. I
think we're not as good as we could be.
If somebody marked the ballots post-casting, if somebody didn't fill in a ballot,
just wanted to cast a blank ballot, or left it blank and somebody filled it in later,
the voter doesn't have a credible way of protesting that, because we don't have a
confirmation code that said I didn't vote for anybody.
So if you had a none-of-the-above choice maybe that would take care of that.
Large team. David Chalm was the lead. Irv Carback was the graduate student
of Maryland, first contact with Tacoma Park. Jeremy Clark, graduate students.
Stefan Nist working on voting. Peter Ryan, inventor of printer votae. And Allen
Sherman, University of Maryland, worked really hard from the George
Washington University, making it all hang together. Tacoma Park officials, Board
of Election. Four-way team that had threshold crypto, four election officials that
the board of election folks actually worked with us directly and managed some
of -- they took a special role in the managing of the crypto keys. And Ben did a
great job with the auditing of the information that was posted on the website.
Laconie did the ballot audits. Phil Sikorski also looked at the information that
was posted and the checking on that and Lynn Bowmeister did some of the
surveys we had. We have a separate paper coming out on some of the survey
data from this.
So that's basically what I wanted to say. It really worked. The election worked.
The voters seemed satisfied with it. I think there's some minor glitches here and
there. But this extra layer of mechanism didn't seem to cause any undue
problems. People who could check seemed to like it and a lot of people didn't
get the information that they could check soon enough. So it already cast their
vote, and they said, oh, I can check on line. It was too late to get their
confirmation codes.
But I think this is a very promising election. It says that these kinds of end-to-end
verifiable elections really can work in the field in practice. You can provide this
level of integrity guarantees on ordinary political elections. I mean, the scalability
of this system, the business aspects are sort of not there yet. But to make the
printing work better and have a business organization. This was just a bunch of
academics working with Tacoma Park.
But there should be some process for making this work. And one part I didn't
say, Ben didn't say either, I think you should understand that there's a bit of a
trade-off here between privacy and integrity. These systems are improving
integrity because you have an additional layer of mechanism. But there's an
additional risk to privacy because you've got crypto keys which if they got
disclosed could reveal how people voted. If you had a state constitution that said
you absolutely have to indistinguishable ballots and total voter privacy,
something like this, this system doesn't have that because we're introducing a
risk to privacy here. But threshold encryption and stuff like that, I think it's a very
reasonable trade-off myself. So that's all I wanted to say.
>> Josh Benaloh: Thank you.
[applause]
>> Ron Rivest: Happy to take questions.
>> Josh Benaloh: Any further questions of the actual Tacoma Park process and
Scantegrity process and how it's going in before we sort of get into the different
issues.
>>: Did you have any challenges, because people wrote their numbers down
wrong? They wrote down [indiscernible].
>> Ron Rivest: This one fellow wrote down the 8-0 thing. He agreed that he
probably wrote it down, or he wasn't sure at the time what it was. He wrote down
a 0 and the website said an 8. That was the only challenge we had.
>>: From an operational standpoint, what do you think the increased cost per
ballot is, the pens and those things.
>> Ron Rivest: It's not very much. Compared to having DREs, the nice this
about having an op scan and the per voter cost, is just the cost of printing the
ballot. Here the ballots need to be unique. That's not a big deal. This is
graduate student time, and we had students filling up the ink cartridges, syringes,
stuff like that. It's hard to measure exactly what that is if you're doing a
commercial operation.
This technology would have to be refined and get real cost estimates.
>>: There's no real cost component ->> Ron Rivest: It's cheap. The printing has got to be unique. You have to make
sure the ink works on those printers. You've got a website to run. That's about
it.
>>: Do they want you back.
>> Ron Rivest: Pardon.
>>: Do they want you back for the ->> Ron Rivest: They do, actually.
>>: Great.
>> Ron Rivest: So I'm not sure when we're going to do that or if we're going to
do that. But they do want us back.
>>: Okay. So I wanted to hit process a little bit here. We agreed beforehand
that we wanted to try to focus on open issues and questions and things that
improved. So in the spirit here of your most critical of those you love in some
sense, really do like Scantegrity a lot, I propose -- I came up with a list of about
half a dozen things that seem to me open issues that can have improvement and
hopefully there will be others -- maybe the best thing to do is to read it at this
point.
So the first thing I find difficult is something that came up explaining the system,
the conceptual complexity. I actually find this more difficult than explaining, to
encrypt and as Ben described this morning, the process of encrypting and go
through a mixed net or [indiscernible] decrypt. Because it's not quite encryption.
Even though it's mathematically simpler, the graph -- I haven't found a good way
to explain it to people yet.
I don't know if there is a good way for ->> Ron Rivest: I agree. I think as we experiment with different systems and as
we experiment with the explanations of these systems they'll get better. But
you're adding new mechanism that's got a certain level of complexity to it.
Somebody wants to understand what's going on has to digest a somewhat
complicated explanation, and maybe there's better systems to choose for that
reason or better ways of explaining this system.
>>: Next on my list is the issue of the linkage between the verified and the
traditional tally, which seemed pretty close here. I'm always concerned about a
system where we've got these two tallies and they're not exactly the same and
how do you reconcile them.
So I like the linkage to be as tight as possible.
>> Ron Rivest: The reconciliation between the ->>: Op scan tally and the verify tally.
>>: It was very close.
>>: It was very close.
>>: Very close.
>>: Which is very good.
>>: And all of them were explained by there were some absentee ballots. They
were all accounted for.
>>: Good.
>> Ron Rivest: The process was very comfortable for the election officials, I
think, in terms of understanding that there were some -- there's always
discrepancies and you have to go through and try and figure out what's going on
and here you've got good solid records of that.
But there were no really new categories of issues introduced, I think.
>>: Third thing on my list was issues with a corrupt or malicious printer who
knows the codes. Somebody has to print it. Some machine has to print the
codes. If you do know the codes, you can create spurious challenges ->> Ron Rivest: That's right. If somebody knows the codes ahead of time that's
exactly what they can do, they can challenge and seem credible for that. You
can always go back and look at the ballots, if somebody said I voted for X and
you're showing Y or whatever, these ballots have serial numbers. You can go
back in the back room and pull it out.
There's been work that Alex and others have looked at trying to separate the
printing out, you can have printing in stages, have different layers of printing and
stuff like this, where the ink is mixed in different layers somehow. Maybe the
serial number goes on it. I don't know if I understand these proposals very well
yet. But there is a single point of failure there with this design, which is at the
printing stage and it's a failure, it fails for voter privacy or for the ability to protest.
>>: Ron, what you were just saying, the printing in layers, is there any -- it
seems like combining David Chalm's visual [indiscernible] with potentially some
things that can become active only when both have been printed.
>> Ron Rivest: Yes, there's room for research figuring out ways of mitigating
this.
>>: It does seem like that's the one thing that's a little bit -- probably can be
resolved, that's even better.
>>: I'll edit forth and we can stop there. The fourth thing I'd like to mention is full
voter verifiability in the sense that I trust [indiscernible] but maybe there's
somebody out there what doesn't. As an individual, very suspicious voter, how
do I have assurance in the integrity of the ballots? Am I allowed to spoil a bunch
of ballots myself? Is there another process.
>> Ron Rivest: That was designed -- this is the first time this rolled out. We
wanted to keep things simple for the voters. And the best, purest solution to this
is to have voters get a choice of ballots and spoil one and cast the other or
something like that.
And so we thought about that. Throughput was an issue getting the voters
through and complexity for the voters. They had to understand. They had this
option. Asking voters to randomly -- randomly pick a ballot, pick two ballots,
randomly pick one to cast and one to -- the election officials decided they didn't
want to get into that. So we had a process where we had designated
representative to act as essentially a proxy for the voters to check on the ballots.
But there's nothing in principle for whether it couldn't have been done or an ad
hoc basis. As this continued to be used as people got familiar with it, I imagine
sliding into that discretionary basis for some of the voters or all of the voters if
they wanted to. No reason you can't. It's sort of managing voter understanding
of what's going on. For those that don't care about this, they don't care about
verifying this aspect of it.
>>: Any other issues.
>>: Let's see, this is going to be a little long. First start by saying that it falls into
what they have in the end about as far as little compromise on privacy side when
we do these things. But the example that you gave of keys being revealed, that
really requires all or most of the election officials to participate in that. And I
guess I've always been of the opinion that if you've gotten to that point you've got
bigger problems than running elections.
So that one is a little less of a concern to me. But in this situation, as I
understand it. You have some opportunity for insider coercion attack, right? I
mean, if there's still access to the ballots for the purposes of recount, after the
fact, right, and the coercer can force the voter to reveal his codes before, he can
go through and look for a ballot that happens to have that particular ->> Ron Rivest: Paper ballots by state law or federal law kept for 22 months,
federal law, right.
>>: For federal elections, yes.
>> Ron Rivest: Federal election. I'm not sure what the law was here. The paper
ballots are identifiable and the voter could be coerced conceivably because an
election official said I had access to the ballots.
>>: In fact ->> Ron Rivest: On principle, the voter has some choice about which ballot they
get. So there's no table linking voter names to ballot numbers. Right? So ->>: That's not important if you can give them the sequence of codes that you
revealed when you voted them, right? So ->> Ron Rivest: They are posted on the Web. As soon as the election's over, the
ballot -- anybody knows those numbers. As soon as the election closes ->>: I understand. But if I, on my way out, before it ever gets posted, if I'm on my
way out, I reveal to a coercer, I'm asked to reveal to a coercer what my sequence
of choices were that will eventually link me back to a particular ballot, paper ballot
in the accounting process, right.
>> Ron Rivest: Yes, that's correct.
>>: And I guess the reason I bring this up is I'm aware of certain, of real world
coercion tacts and most of them from the city of Albany. And all of them I'm
aware of is ->> Ron Rivest: Albany, New York.
>>: Yes.
>> Ron Rivest: I grew up in Schenectady.
>>: So, I mean, I think we need to be careful. I guess what I'm getting at -summing this all up, I think it's safe to say that we're building our assumptions of
privacy on the assumption that not all election officials are simultaneously
corruptible. But to build your assumption of privacy on the notion that no one will
ever be corruptible is a slightly regrouped assumption.
>> Ron Rivest: I guess that's a fair comment, yeah. The fact that these ballots
exist, they have serial numbers on them and are uniquely, you can go back and
look at them, increases the risk to privacy and coercion attacks. I agree.
>>: We'll thank you again, Ron.
>> Ron Rivest: Sure.
[applause]