Enhancing Voter Verified Paper Audit Trail (VVPAT)
Integrity Using Encryption
Chip Andrews
Columbus State University
4225 University Avenue
Columbus, Georgia 31907
andrews_charles@colstate.edu
ABSTRACT
In this paper, we describe the verification methods used to prevent
fraud in elections that utilize e-voting machines and the Voter
Verified Paper Audit Trail (VVPAT). Specifically, the paper will
investigate methods that can be used to verify that the paper audit
trails themselves have not been compromised by using various
techniques. There are many attacks that can be staged against
paper ballot receipts in VVPAT systems including the ability to
stuff ballots, forge receipts, and tampering with officially printed
receipts.
In addition to a description of the attack vectors, this paper
proposes how adding specific cryptographic methods to the paper
ballot receipts can add both integrity and authentication to the
voting process. Specifically, adding the combination of
cryptographically secure random number generators and digital
signatures can help to harden the paper ballot receipts against
attack so that can act as a reliable verification of the e-voting
machines.
Finally, there is a discussion of the overall weaknesses of VVPAT
systems and the solutions presented in this paper. The paper
concludes with some discussion of alternative methods and future
technologies that may replace the need for VVPAT systems
entirely.
General Terms
tampering which could invalidate the entire voting process. In
fact, two documentary-style movies (“Hacking Democracy” and
“Uncounted”) have been released in recent years that have helped
to bring these concerns to the masses. The primary concern is
that, without some ability to independently verify election results
(either by local districts or independent groups such as Black Box
Voting), it is trivial for someone to alter the election results. For
example, in a punch card system, someone would need to gain
physical access to the punch cards to tamper with the results. A
voter can physically inspect a punch card to see if it recorded the
intended data before submitting the results. However, in DRE
systems, the voter must simply trust that the program code,
recorded data, and memory cards are all properly recording the
intended results – a much more difficult feat than inspecting a
punch card.
Out of these challenges arose the need for a Voter Verified Paper
Audit Trail (VVPAT). The VVPAT would basically allow a DRE
system to produce a verifiable paper audit “receipt” of the voting
process (see Figure 1). This “receipt” could be verified by the
voter to ensure it matches the voter’s intent, and then submitted as
a secondary ballot. The paper trail allows the more efficient DRE
system to be verified in case of a random audit or a disputed
recount. While less efficient and at additional cost, the VVPAT
system adds integrity to the voting system by allowing for a way
to verify that the electronic results of the DRE have not been
tampered with.
Measurement, Design, Reliability, Security, Human Factors,
Theory, Verification.
Keywords
VVPAT – Voter Verified Paper Audit Trail
DRE – Direct Recording Electronic Voting System
1. INTRODUCTION
Voters around the world are becoming more and more suspicious
of Direct Recording Electronic Voting Systems (DRE), a specific
instance an e-voting system[1]. DRE systems were originally
thought to be the solution to some of the voting irregularities that
arose in the U.S. Presidential election of 2000 which evokes
previously unknown terms such as “hanging chads” and “pregnant
chads” which personified the challenges of punch card voting
systems. DRE systems were supposed to solve all of those
problems by providing efficient tabulating processes and voterfriendly interfaces (typically touch screens).
However, in recent years web sites such as Black Box Voting
have acted as rallying points for an ever-increasing number of
critics who are worried that DRE systems are too susceptible to
Figure 1. Sample VVPAT system with printer attached
In summary, VVPAT systems allow the voter to be sure their vote
is counted no matter how the DRE system is implemented. For
example, some DRE systems transmit their data over the Internet
which could expose the data to attack or corruption. Additionally,
since there is no time for each voter to review the source code for
each DRE machine (assuming they have the necessary skills), it is
very possible that an attacker could modify the machine to skew
the voting results in any number of ways. By attaching a VVPAT
printer to the DRE machine, the voter is able to get a physical
representation of their voting intent which they can personally
verify. VVPAT systems mitigate the debate regarding the
technical implementation details of DRE systems since the results
of the e-voting systems are always verified by the VVPAT paper
trail.
2. PROBLEM STATEMENT
Despite the integrity provided by using VVPAT systems in DRE
voting systems, there are still several attacks that are possible on
the paper trail. Since the paper trail will generally be considered
to be the “true” count in an election, it provides a very likely
target for attack[2]. Due to the various ways that VVPAT systems
are implemented, the attack vectors will differ from system to
system.
For example, in VVPAT systems that allow the voter to handle
the paper receipt, it is possible that someone could forge large
quantities of false receipts and submit them at the same time as
the legitimate ballot. In VVPAT systems that do not allow the
voter to touch the receipt, the results are usually displayed behind
some sort of glass separator which prevents tampering. However,
in this case, the voting machine itself could be manipulated by an
attacker to void the original receipt and then re-print a false ballot
for actual submission. Also – the spooling of paper ballots which
is often a feature of glass separated voting systems can also defeat
the anonymity of the elections process since the votes are
recorded in precise order[3].
Additionally, in effort to add efficiencies to the paper receipt
tabulation, some VVPAT systems will print barcodes on the
printed ballot receipts so that they can quickly be read by
machines in the event of a recount or random audit of the paper
ballots. However, the barcodes themselves could become an area
of attack in that a compromised voting machine could produce a
paper ballot that matches the voter intent in the human-readable
section but contains contrary information in the barcode[4]. Such
a barcode presents a dangerous covert channel for attackers since
it is very unlikely that each ballot barcode would be compared
against the human-readable section unless there was a specific
reason to suspect foul play.
Finally, in a more obvious attack, there is always the possibility of
“ballot stuffing” by insiders in the elections process. If someone
could produce large quantities of false ballot receipts, they could
simply replace the voter-vetted receipts with the false ballots and
effectively alter the outcome of the election in that district.
What is needed to mitigate these attacks is a way to
cryptographically verify that a given paper ballot was produced by
a given machine. Doing so should greatly increase the difficulty
of produce false paper ballot receipts either by voters or by
elections officials. If VVPAT is going to be used to verify the
electronic results of DRE systems, it is imperative that the
integrity of the paper ballot receipt be assured to best of our
ability.
There exist two primary challenges to paper ballot receipt
validation:
(1) Creating a verifiable link between a vote instance on the
DRE computer and the paper ballot. This must be done
so that for each paper ballot receipt – a corresponding
electronic vote can be associated and verified. Doing so
greatly mitigates the problem of “ballot stuffing” or the
false introduction of fake paper ballot receipts into the
system.
(2) Providing a method whereby a particular paper ballot
receipt can be verified that it has not been altered in any
way. For example, if an attacker has access to the paper
ballot receipts before tabulation, he should not be able
to alter the information on the ballot as to bypass the
ability of the auditors to detect such alteration.
3. PREVIOUS WORK
In a paper called “An Examination of the Auditability of Voter
Verified Paper Audit Trail (VVPAT) Ballots” by Stephen Goggin
and Michael Byrne[5], the authors investigate the weaknesses of
VVPAT systems in general. Specifically, their concerns center
around the fact that relying on a very manual process of hand
counting paper ballots does not necessarily help to add integrity.
As an example, in one study only 57% of participants were able to
manually count the paper ballots correctly. Based on the
conclusions in that paper, the addition of some sort of very
accurate, automated method of processing paper ballots in needed.
While they do not propose any specific solutions, it is obvious that
whatever solutions are added to the VVPAT process, they need to
provide for the ability to create a more efficient and verifiable
process.
Figure 2. Sample of a VVPAT paper ballot receipt
In regards to the use of cryptography in voting systems, Ben
Adida and Ronald L. Rivest collaborated on a paper called
“Scratch & vote: self-contained paper-based cryptographic
voting” in which they propose and entire new voting system based
on cryptographic methods[6]. As opposed to this paper which
attempts only to enhance the integrity of current systems, “Scratch
and vote” is a complete re-thinking of the entire elections process
with specially formed ballots, barcodes, and advanced
mathematical methods to ensure integrity. Unfortunately, in
addition to the cost of replacing all existing voting systems, the
Adida and Rivest solution also involves very complex
mathematical constructs that could eventually be defeated and are
likely not understood by voters (and therefore possibly not
trusted).
4. PROPOSED SOLUTIONS
The solutions to be proposed by the author of this paper address
the very specific issue of verifying the validity of paper ballot
receipts. The issue of whether or not to include barcodes is not
relevant to this discussion. The use (or lack thereof) of barcodes
has no relevance in the context of paper ballot receipt validation
and barcodes could certainly be used to display the cryptographic
information if that was desired or if an acceptable method for
detecting discrepancies between human-readable and bar-coded
content could be devised.
4.1 Unique Identifiers
The first proposed change is to create a unique identifier for each
vote instance and store it on both the electronic record and the
paper ballot receipt. This allows for an auditable verification that
each electronic vote can be matched up against a corresponding
paper ballot receipt and in and of itself creates a huge barrier to
both internal (voting systems staff) and external (actual voters)
attackers.
authenticate a particular voting machine as the producer of the
receipt and signature.
In order to authenticate the actual voting machine, a public key
cryptography key pair should be generated (using acceptable
public key algorithms and key lengths) for each voting machine
before any given election to sure key rotation can protect the
private keys over time. The private key should be stored on the
DRE machine while the corresponding public keys are kept in a
directory available to the voting system components. When a
paper ballot receipt is printed, the private key is used to sign a
hash of the ballot contents and is then appended to the paper ballot
receipt.
The addition of this signature allows the machine processing the
paper ballot receipts to read the signature and validate it using the
public key for the appropriate DRE machine (identified by its
Unique Identifier discussed in section 4.1). Once the signature is
verified, the paper ballot receipts can be verified to:
1.
2.
Be in original, unaltered form
Generated by a specific DRE machine
Note that this does not prevent someone from using the machine
to create invalid ballots prior to the election and then stuffing the
ballot box later. The use of the unique identifier should
effectively mitigate that risk assuming it can be guaranteed that
the machine begins the actual supervised voting process with no
unique identifiers generated.
Figure 3 gives a general overview of the digital signature process
for the DRE machine in relation to the paper ballot receipt.
This unique identifier should not be a simple incremental number
despite the fact that an incremental number should effectively
eliminate duplicates. Using a incrementing integer would allow
for an attacker to possibly predict a series of identifiers and
successfully introduce forged paper ballot receipts into the
system.
A more resilient solution than incrementing unique identifiers
would be to compute a cryptographically random unique identifier
for each paper ballot receipt. Systems that can produce the
required level of randomness are referred to as cryptographically
secure pseudo-random number generators (CSPRNG). Such
systems produce random numbers that have an acceptable level of
randomness and should not allow attackers to predict the unique
identifier for any given DRE machine[7]. In addition, each
unique identifier could be prefixed with a unique identifier for
each voting machine which would mean the randomly computed
numbers would only need to be unique for each machine. This
should greatly reduce the possibility of a collision assuming the
random numbers are pulled from a large enough range of values.
4.2 Digital Signatures
To address the challenge of detecting tampering of paper ballot
receipts, it is recommended that each ballot also contain a digital
signature of the ballot contents. In addition to tamper-detection,
the inclusion of a digital signature provides the ability to
Figure 3. Digital Signature Process for Paper Ballots
It may be advantageous to prevent the recording of a timestamp as
part of the paper ballot receipt printing process in order to protect
the identity of voters. If timestamps are encoded on the ballots,
may be possible for someone to use the timestamp as a way to
identify voters by correlating serialized timestamp data with the
order in which voters used the machine. This is also one of the
arguments against using take-up reels for the printing of VVPAT
receipts.
At the current time, there is only one DRE machine vendor that
appears to be pursuing the features proposed in this paper:
TruVote International of Nashville, TN [8]. TruVote clearly
displays a sample VVPAT paper receipt (as shown in Figure 4)
with a validation number which is the unique identifier tying the
paper receipt to the actual voting machine. In addition, TruVote
also claims to use a digital signature which is likely encoded in
the two-dimensional barcode (also visible in Figure 4). While
TruVote does not appear to offer any technical details about how
these features are implemented, the fact that they clearly promote
both features shows that vendors may be beginning to see the
value in using cryptographic methods to verify the validity of
VVPAT paper receipts.
to as HAVA) which stipulates that voting systems in the United
States should “produce a permanent paper record with a manual
audit capacity for such systems”[9]. Additionally, there is an Act
(still in committee) called H.R. 811 which strengthens the
VVPAT recommendations of HAVA and provides additional
details and restricts around the use of VVPAT systems that ensure
measures such as mandatory audits, certified voting machines, and
manual counting are used to maximize the integrity of paper ballot
receipts. However, at this time H.R.811 does not address the
problem of how to verify that the paper ballot receipts are
authentic and appears to rely mostly upon physical controls rather
than encryption to provide those protections.
While it is important to strengthen the integrity of VVPAT
systems by any means necessary, it should be noted that even with
the use of cryptographic methods to harden these systems, there
are still significant challenges. For example, there is significant
evidence that voters fail to take the time to verify paper ballots
which could lead to incremental attacks such as only forging a
small numbers of paper ballots per voting machine[10]. In
addition, paper ballots have limited lifetimes and are difficult and
expensive to tabulate in the event a paper-based recount is
required. Finally, the accuracy of the manual hand counting that
may be required to count VVPAT receipts is also very suspect as
was discussed in the Goggin and Byrne paper (section 3).
While adding cryptography can be helpful in verifying the
integrity of the paper ballots, it will require significant
programming and automation to make the process of validation a
reality. By adding yet another layer of technology to the voting
process, it is very possible that attackers will simply shift their
focus from attacking the paper ballot receipts to attacking the
computer systems responsible for verifying those paper ballots.
Due to VVPAT’s weaknesses, it is worth considering alternatives
that could provide both an independent and presumably
unalterable verification mechanism. For example, it might be
possible to record video and/or audio (for visually impaired
voters) of the voting process which could be analyzed by
computers to produce a verifiable tabulation of voter intent – also
known as a Voter Verified Video Audit Trail (VVVAT). While it
is not clear that the technology currently exists for such a system,
it is possible that a method of this type would be able to capture
voter intent without requiring a second medium that must be
verified manually by the voter.
6. REFERENCES
[1] Bannet, J., Price, D., Rudys, A., Singer, J., and Wallach D.
2004. Hack-a-Vote: Security Issues with Electronic Voting
Systems. IEEE Security & Privacy, 2(1):32–37
(January/February 2004).
[2] March, J. 2009. Security Theatre: Degrading, petty, & a
violation of our rights. Black Box Voting.
http://www.bbvforums.org/forums/messages/1954/80306.ht
ml?1265108919
Figure 4.
International
Sample
VVPAT
Receipt
from
TruVote
5. CONCLUSIONS
It is clear that voting trends in the United States are moving
towards the use of VVPAT systems to verify DRE results. In
2002, congress passed the Help America Vote Act (often referred
[3] Caandrino, J., Clarkson, W., and Felten, E. 2009 Some
Consequences of Paper Fingerprinting for Elections. Center
for Information Technology Policy and Dept. of Computer
Science, Princeton University.
[4] Hall, J. 2006. Design and the Support of Transparency in
VVPAT Systems in the US Voting Systems Market. UC
Berkeley, School of Information.
[7] Eastlake, D., Crocker, S., and Schiller, J. 2005. Randomness
Requirements for Security. RFC 4086.
http://tools.ietf.org/html/rfc4086
[5] Goggin, S. and Byrne, M. 2007. An Examination of the
Auditability of Voter Verified Paper Audit Trail (VVPAT)
Ballots. Rice University.
[8] TruVote International. Voter Verified Paper Ballots.
http://www.truvote.com/PaperBallot%20Compare.htm
[6] Adida, B. and Rivest, R. 2006. Scratch & vote: selfcontained paper-based cryptographic voting. In Proceedings
of the 5th ACM Workshop on Privacy in the Electronic
Society, pages 29–40. ACM Press.
[9] Help America Vote Act of 2002, H.R. 3295, 107th Congress.
(2002).
[10] Dill, D. 2003. VVPR Attack with Misprinted VVPAT.
National Institute of Standards and Technology.