User:PulpSpy/E2E Draft

Part of a series on
Election technology
Technology
Absentee ballot Chad DRE voting machine Electronic voting Electronic voting machine Optical scan voting system Provisional ballot Voting machine Voter-verified paper audit trail Vote counting system
Terminology
Central count or CCOS Overvote Precinct count or PCOS Undervote Residual vote or drop-off
Testing
Acceptance testing Qualification testing Software verification Usability testing
Manufacturers
Election Systems & Software Hart InterCivic Dominion Voting Smartmatic
Related aspects
Certification of voting machines Independent Testing Authority (ITA) NVLAP VVSG End-to-end auditable voting systems Help America Vote Act Independent verification systems Secure Electronic Registration and Voting Experiment Software independence
v t e

End-to-end auditable or end-to-end voter verifiable (E2E) systems are voting systems with stringent integrity properties and strong tamper-resistance. E2E systems often employ cryptographic methods to craft receipts that allow voters to verify that their votes were not modified, without revealing which candidates were voted for. As such, these systems are sometimes referred to as receipt-based systems.

Overview

The technical process of vote tallying can be broken into two general steps:

1. voted ballots are gathered into a collection of voted ballots, and
2. the collection of voted ballots are counted to produce the final tally.

Measures such as voter verified paper audit trails and manual recounts protect the integrity of the second step but do not ensure the correctness of the first step. Ballots could be removed, replaced, or could have marks added to them (i.e.,to fill in undervoted contests with votes for a desired candidate or to overvote and spoil votes for undesired candidates). The end-to-end nature, referenced by the name E2E, protects the integrity of the ballot from step 1 through to step 2.

In general, E2E provides two assertions of integrity and one assertion of privacy:

• Any voter can verify that his or her ballot is included unmodified in a collection of ballots;
• Any voter (and typically any independent party additionally) can verify, with high probability, that the collection of ballots produces the correct final tally;
• No voter can demonstrate how he or she voted to any third party.

Some researchers argue that the latter privacy assertion is not inherent in the definition of E2E.^{[citation needed]} However the Election Assistance Commission lists ballot secrecy as a property of E2E systems in the 2005 Voluntary Voting System Guidelines.^[1] This definition is also predominant in the academic literature.^[2][3][4][5]

Note that assertions regarding ballot stuffing are not inherently addressed by the definition of E2E, although they can be externally verified by comparing the number of votes cast with the number of registered voters who voted.

E2E Systems

In 2004, David Chaum proposed a solution that allows a voter to verify that the vote is cast appropriately and that the vote is accurately counted using visual cryptography.^[6] After the voter selects their candidates, a DRE machine prints out a specially formatted version of the ballot on two transparencies. When the layers are stacked, they show the human-readable vote. However, each transparency is encrypted with a form of visual cryptography so that it alone does not reveal any information unless it is decrypted. The voter selects one layer to destroy at the poll. The DRE retains an electronic copy of the other layer and gives the physical copy as a receipt to ensure the ballot is not later changed. The system guards against changes to the voter's ballot and uses a mix-net decryption^[7] procedure to ensure that each vote is accurately counted. Sastry, Karloff and Wagner pointed out that there are issues with both of the Chaum and VoteHere cryptographic solutions.^[8]

Chaum has since developed Punchscan, which has stronger security properties and uses simpler paper ballots.^[9] The paper ballots are voted on and then a privacy-preserving portion of the ballot is scanned by an optical scanner.

The Prêt à Voter system, invented by Peter Ryan, uses a shuffled candidate order and a traditional mix network. As in Punchscan, the votes are made on paper ballots and a portion of the ballot is scanned.

The Scratch and Vote system, invented by Ben Adida, uses a scratch-off surface to hide cryptographic information that can be used to verify the correct printing of the ballot.^[10]

The ThreeBallot voting protocol, invented by Ron Rivest, was designed to provide some of the benefits of a cryptographic voting system without using cryptography. It can in principle be implemented on paper although the presented version requires an electronic verifier.

The Scantegrity and Scantegrity II systems provide E2E properties, however instead of being a replacement of the entire voting system, as is the case in all the proceeding examples, it works as an add-on for existing optical scan voting systems. Scantegrity II employs invisible ink and was developed by a team that included Chaum, Rivest, and Ryan.

History

A number of systems with some extent of end-to-end verifiability have been used in both trial and binding elections. Generally, end-to-end systems guarantee ballot secrecy. However several internet-based systems have been deployed which do not necessarily ensure the incoercibility of a voter's choice from someone looking over their shoulder while they vote (which is also possible in vote-by-mail systems).

• 1998: InternetStem internet system is used for a shadow election of the Netherlands national election.
• 1999: VoteHere internet system is used in the Republican straw poll by several Alaskan districts.
• 200?: An intranet system designed by NEC researchers is used by an unnamed private organization in Japan.
• 2004: REIS internet system is used in the Netherlands in two district water board elections.
• 2006: REIS is used in the Netherlands national election.
• 2007: Punchscan optical scan system is used in the University of Ottawa student election.
• 2009: Helios internet system is used in the Université catholique de Louvain and Princeton student elections.
• 2009: Scantegrity optical scan system is used in the Takoma Park municipal election.

The 2009 Scantegrity election in Takoma Park election also marked the first time an open source voting system was used in a public sector election in the United States.

Examples

• Prêt à Voter
• Punchscan
• Scantegrity
• ThreeBallot
• Bingo Voting

References

1. 2005 Voluntary Voting System Guidelines, Election Assistance Commission
2. Jeremy Clark, Aleks Essex, and Carlisle Adams. On the Security of Ballot Receipts in E2E Voting Systems. IAVoSS Workshop on Trustworthy Elections 2007.
3. Aleks Essex, Jeremy Clark, Richard T. Carback III, and Stefan Popoveniuc. Punchscan in Practice: An E2E Election Case Study. IAVoSS Workshop on Trustworthy Elections 2007.
4. Olivier de Marneffe, Olivier Pereira and Jean-Jacques Quisquater. Simulation-Based Analysis of E2E Voting Systems. E-Voting and Identity 2007.
5. Ka-Ping Yee. Building Reliable Voting Machine Software. Ph.D. Dissertation, UC Berkley, 2007.
6. Chaum, David (2004). "Secret-Ballot Receipts: True Voter-Verifiable Elections". IEEE Security and Privacy. 2 (1): 38–47. doi:10.1109/MSECP.2004.1264852. {{cite journal}}: Cite has empty unknown parameter: |coauthors= (help)
7. Reusable anonymous return channels
8. Chris Karlof, Naveen Sastry, and David Wagner. Cryptographic Voting Protocols: A Systems perspective. Proceedings of the Fourteenth USENIX Security Symposium (USENIX Security 2005), August 2005.
9. Steven Cherry, Making every e-vote count, IEEE Spectrum, Jan 2007.
10. Scratch & Vote: Self-Contained Paper-Based Cryptographic Voting (2006)

External links

• Verifying Elections with Cryptography — Video of Ben Adida's 90-minute tech talk
• Helios: Web-based Open-Audit Voting — PDF describing Ben Adida's Helios web-site
• Helios Voting System web-site