Voting Jurisdictions
• Voting in the U.S. is conducted by the states– 50 states + DC + territories– Supervised generally by Secretaries of State– Delegated to 3170 counties
• ~10,000 voting jurisdictions (cities, school boards, …)• ~200,000 precincts (avg. 60-70 per county)• > 1,400,000 poll workers (avg. 7/precinct, 440/cty)• 150 million registered voters, 105 million actually vote• Federal government has very little power over elections
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Functions of a Voting System
1. Authenticate voter
2. Present candidates and issues to voter
3. Capture voter’s preferences
4. Transport preferences to counting location
5. Add up vote totals (tabulation)
6. Publish vote totals (reporting)
7. Provide audit mechanism
But: vote must be secret
CS ISSUES• SECURITY• PRIVACY• HCI• SOFTWARE ENGINEERING
Authentication
• In each precinct, only registered voters are allowed to vote• Need a registration system before the election• Need authentication mechanism on Election Day
– Only registered voters vote
– No one can impersonate a voter
– Each voter can only vote once
• In this course, we will not discuss voter registration
18
Desirable properties of secret ballot Desirable properties of secret ballot electionselections
Accuracy
Privacy
Verifiability
Invulnerability (Democracy)
Convenience
Flexibility
Mobility
Trustworthy
23
ConvenienceConvenienceVoters can cast their votes quickly, in
one session, and with minimal equipment or special skills
24
FlexibilityFlexibilityA variety of ballot question formats
are permitted including open ended questions
26
TrustworthyTrustworthy Voter feels that
Vote was countedVote was privateNobody else can vote more
than onceNobody can alter others’
votes
People believe that the machine works correctly and that its behavior cannot be modified
These have to do with perception
It is also important that these perceptions are true
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ballot Types
• Document ballot– Paper ballot– punched-card– optical scan
• Non-document ballot– Lever machine– DRE machine
29
Paper (.6%)Paper (.6%) Advantages
SimpleCaptures voter
intentNot subject to
equipment malfunctions
DisadvantagesTime consuming to
countDoes not prevent
over votes or under votes
Many ballot fraud schemes involving paper ballots• Ballot box stuffing• Ballot invalidation• Pre-marked ballots• Ballot theft
New York Times, April 4, 1855
BALLOT BOXES DESTROYED
INJURIES IN RIOTS
MORE BALLOTS CAST THANNAMES ON THE POLL LIST
Florida’s Solution
“The ballots shall first be counted, and, if the number of ballots exceeds the number of persons who voted … the ballots shall be placed back into the box, and one of the inspectors shall publicly draw out and destroy unopened as many ballots as are equal to such excess.” F.S. §102.061
Why Do We Use Voting Machines?
• To prevent fraud– Lever machine (1892) “To protect mechanically the voter
from rascaldom”
• Faster, more accurate counting
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Chads
SOURCE: PETER SHEERIN
Recount
• When a ballot is handled, it can be changed• The voter’s intent must be determined• Suppose only one of four corners is detached. It is a
vote?• Dimpled chad, pregnant chad: how to count?
Punched-Card Problems
• Can’t see whom you’re voting for• Registration of card in ballot frame• Must use stylus: no positive feedback on punch• Hanging chad: chad that is partially attached to the card
– How may corners?
– Hanging chad causes count to differ every time
• Dimple: chad that is completely attached but shows evidence of an attempt to punch– Dimple can turn into a vote on multiple readings
Mark-Sense, Optical Scan (34%)
• Scanning methods– Visible light
– Infrared
• Issues:– Dark/light marks
– Some scanners require carbon-based ink
– Voter intent may not be captured by machine
• Machine does not see what the human sees
Optical Scan Vote Reading
• Is it reliable?• Is voter intent captured?• Can it be manipulated?• Infrared v. visible light
– Problem: machine “sees” marks differently from voter
• What is a valid vote?
DRE Systems
• DRE means “direct recording electronic”• There is no document ballot• Voter votes by interacting directly with a machine, not by marking
a piece of paper• “Electronic voting system” means a system in which one or more
voting devices are used to permit the registering or recording of votes and in which such votes are computed and tabulated by automatic tabulating equipment. The system shall provide for a permanent physical record of each vote cast. Pa. Elec. Code.
A Well-Designed e-Voting Machine
READ-ONLYMEMORY
READ-ONLYMEMORY
RANDOM ACCESSMEMORY
WRITE-ONCEMEMORY
INTERNALPAPERTRAIL
VOTER CHOICES
PROPRIETARY OPERATING SYSTEM(NOT WINDOWS)
BALLOT SETUP DATA
SOFTWARE FROM ATRUSTED SOURCE(NOT THE VENDOR)
16-HOUR BATTERY
NO PORTS, NO CONNECTORS, NO MODEM, NO WIRELESS, NO INTERNET
TOTALS REPORTSIGNED BY ELECTION JUDGES
WRITE-ONCE MEMORYTO COUNTY BOARD
MACHINE SEALED WITH PAPER TRAIL
The Problem
• Voters do not trust DRE systems• Why?
– Numerous irregularities around the country
– “Black box” phenomenon
– Reports by computer security specialists
– Warnings by computer scientists
– Jurisdictions rushing to replace old systems
– Secretive vendor behavior
– Public awareness of computer vulnerabilities
– Newspaper editorials, e.g. New York Times
The Problem
• Are DRE systems untrustworthy?– Some are, some aren’t
• DRE systems used for 25 years without a single verified incident of tampering– Much more difficult to alter computerized records than paper
– Proprietary operating systems
– Redundant encrypted memories
– Testing
• None of this matters. Perception governs• What to do?
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Statutory Requirements
• HAVA Sec. 301(a)(2)(i): “The voting system shall produce a permanent paper record with a manual audit capacity for such system.”
• Maryland Election Law 9-102(c): “Standards for certification.- The State Board may not certify a voting system unless the State Board determines that:
(1) the voting system will: … (vi) be capable of creating a paper record of all votes cast in order that an audit trail is available in the event of a recount”
Paper Trail Proposal
• Allow each voter to see her choices on paper before casting a vote
• If the choices are incorrect, they can be corrected• The paper becomes the official ballot• If there is a discrepancy between the paper record and the
computer record, the paper governs• Why? Because that’s the one the voter verified
Paper Trail Advantages
• Demonstrates to the voter that the machine captured her choices correctly
• Creates a sense of security among voters
Paper Trail Disadvantages• No guarantee vote was counted, will ever be counted or paper will be in
existence if a recount is ordered• Massive paper handling and security problem• Slow counting
– Sacramento experiment 06/04: took an average of 20 minutes per ballot to tabulate and verify results
– Recounting California would take 450 years
• Accessibility issues• Voter confusion
– Must remember a lengthy ballot
• Machines questioned when nothing is wrong• Increased demand for recounts• Creates doubt among voters (CalTech-MIT Report)
Voting Problems
• Machine won’t operate• Machine fails during the election• Intruder tampers with paper records
– Stuffing, removal, alteration
• Machine captures choices incorrectly
• Intruder alters vote totals after election• Machine maliciously or erroneously
switches votes
NOT ADDRESSEDBY PAPER TRAIL
SOLVED BYPAPER TRAIL
DEPENDS ONPHYSICALSECURITY OFPAPER TRAIL
85
Evaluating information sourcesEvaluating information sources Don’t believe everything you read!
News sources are usually a reporter's interpretation of what someone else did
Conference and journal papers are first hand reports of research studies that have been peer reviewed but journals usually have more review than conferences
Technical reports are usually first hand reports of research studies that have not been peer reviewed (yet) Look for subsequent conference or journal publications
Web sites and books are anything goes, but books at least have an editor (usually)
When possible, cite research results and technical information from peer reviewed sources
Research and Communication Skills
86
Research and Communication Skills
Organizing a research paperOrganizing a research paperDecide up front what the point of your
paper is and stay focused as you write
Once you have decided on the main point, pick a title
Start with an outline
Use multiple levels of headings (usually 2 or 3)
Don’t ramble!
87
Research and Communication Skills
Typical paper organizationTypical paper organization Abstract
Short summary of paper
Introduction Motivation (why this work is interesting/important, not your personal
motivation)
Background and related work Sometimes part of introduction, sometimes two sections
Methods What you did In a systems paper you may have system design and evaluation sections
instead
Results What you found out
Discussion Also called Conclusion or Conclusions May include conclusions, future work, discussion of implications,etc.
References
Appendix Stuff not essential to understanding the paper, but useful, especially to
those trying to reproduce your results - data tables, proofs, survey forms, etc.
These sections may be different in your papers
88
Research and Communication Skills
Road mapRoad map Papers longer than a few pages should
have a “road map” so readers know where you are going
Road map usually comes at the end of the introduction
Tell them what you are going to say in the roadmap, say it, (then tell them what you said in the conclusions)
Examples In the next section I introduce X and discuss related work. In
Section 3 I describe my research methodology. In Section 4 I present results. In Section 5 I present conclusions and possible directions for future work.
Waldman et al, 2001: “This article presents an architecture for robust Web publishing systems. We describe nine design goals for such systems, review several existing systems, and take an in-depth look at Publius, a system that meets these design goals.”
89
Research and Communication Skills
Use topic sentencesUse topic sentences (Almost) every paragraph should have a topic
sentence Usually the first sentence Sometimes the last sentence Topic sentence gives the main point of the paragraph
First paragraph of each section and subsection should give the main point of that section
Examples from Waldman et al, 2001 In this section we attempt to abstract the particular
implementation details and describe the underlying components and architecture of a censorship-resistant system.
Anonymous publications have been used to help bring about change throughout history.
90
Research and Communication Skills
Avoid unsubstantiated claimsAvoid unsubstantiated claims Provide evidence for every claim you make
Related work Results of your own experiments
Conclusions should not come as a surprise Analysis of related work, experimental results, etc. should
support your conclusions Conclusions should summarize, highlight, show
relationships, raise questions for future work Don’t introduce new ideas in discussion or conclusion
section (other than ideas for related work) Don’t reach conclusions not supported by the rest of your
paper
Electronic Voting in 2004
• From the evoting viewpoint, the 2004 election was not very interesting
• 1444 reports to the Election Incident Reporting System• Reports fell into three categories:
– Fantasies (allegations of fraud with no evidence)– Misunderstandings (truthful but misinterpreted allegations)– Genuine problems
• Problems exist that were not reported, e.g. voter privacy problems
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Reported Problems
• Machine unreliability• Changed votes• Lost votes
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Carteret County, NC
• UniLect Patriot DRE machine• Used since 1996• Software: Intellect 2.49; Firmware: 2.54
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
UniLect Patriot
SOURCE: UNILECT
VOTING MACHINE
BALLOT SETUP UNIT
PRECINCT CONTROLLER
Carteret County, NC
• Alleged by manufacturer to have a capacity of 10,500 ballots
• Used in Carteret County for early voting• Real capacity was only 3,005• But 7,537 people voted early• Machine produces a warning when full, but does not
prevent voting• 4,532 votes were permanently lost
Carteret County, NC
• What happened?• Machine had redundant ballot storage in machine and
on memory pack• But capacity was exceeded• Many fixes available
– Don’t allow voting when machine is full!– Increase capacity so it is huge– Paper trail would have solved the problem
• No FEC Standards covering capacity
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Craven County, NC
• Election Systems & Software DRE machine• Hardware: Votronic Model 1• Software: Unity 2.2• Firmware: 5.28
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Craven County, NC
• First election night tally showed 11,283 more votes for President than the 40,534 people first thought to have voted in the county
• Some precincts were counted twice• Found by a reporter on Nov. 3• One race was affected: County Board of
Commissioners District 5 seat (1067-944)• Problem would have been discovered in the canvass
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Franklin County, OH
• Columbus, OH• Danaher Controls (Danaher Guardian) DRE• Model: ELECTronic 1242
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Franklin County, OH
• A computer error with a voting machine cartridge gave President Bush 3,893 extra votes.
• Unofficial results gave Bush 4,258 votes to Kerry's 260 votes in Precinct 1B. Records show only 638 voters cast ballots in that precinct.
• Calls were received Thursday from people who saw the error when reading the list of poll results on the election board's Web site.
• After Precinct 1B closed, a cartridge from one of three voting machines at the polling place generated a faulty number at a computerized reading station.
• The reader also recorded zero votes in a county commissioner race.
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Franklin County, OH
• County elections director said the error would have been discovered when the official canvass for the election is performed later this month.
• The cartridge was retested Thursday and there were no problems. He couldn't explain why the computer reader malfunctioned.
• Workers checked the cartridge against memory banks in the voting machine Thursday and each showed that 115 people voted for Bush on that machine. With the other machines, the total for Bush in the precinct added up to 365 votes.
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Orlean Parish, LA
• New Orleans• Sequoia Voting Systems, Inc• Model: AVC Advantage
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Orleans Parish, LA
• Sequoia machines failed to boot up on election day and local election officials had no backup plan. EFF attorneys filed a complaint in Civil District Court attempting to force election officials in the Parish of New Orleans to keep polls open late. The NAACP also filed a complaint urging polls to remain open late to accommodate disenfranchised voters.
• The machines that failed in New Orleans were older Sequoia AVC Edge machines and 80 incidents of failure were recorded across a number of precincts.
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Boulder County, CO
• Hart Intercivic Optical Scan, Precinct-Based• Model: BallotNow
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Boulder County, CO
• A printing error that distorted bar codes on paper ballots is being blamed for delays that made this one of the last counties in the nation to report election results.
• The county clerk's office and officials at a Denver printing company are examining flaws in thousands of ballots that slowed the vote count to a crawl.
• County Clerk Linda Salas said Monday the bad ballots were distributed at random, cropping up in some precincts, but not in others. The exact number of bad ballots is still unknown, Salas said.
• Scanners rejected ballots with the bad bar codes, requiring election judges to tally those votes race by race.
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Boulder County, CO
• Voting equipment was tested before the election. But the printing error occurred only on actual ballots that went to voters, not the test ballots, Salas said.
• Adding to the delays were attempts to figure out why the scanners were rejecting some ballots. Technicians from Hart Intercivic, which makes the scanners, and Kodak, which makes the lenses, examined the machines before the bar code error - which was not visible to the naked eye - was caught, Salas said.
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Thurston County, WA
• Election Systems & Software punched card system
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Thurston County, WA
• Elections staff recounted an estimated 81,000 ballots first tallied Election Day after learning that computer software wasn't set up properly for the first count.
• No errors were caused in tabulating the ballots the first time, Thurston County Auditor Kim Wyman said.
• The mistake did make it impossible to know exactly how many poll-site ballots were cast in each precinct of the county. A dozen staff members worked into the evening, recounting the ballots after properly setting software on the machines. They needed the data as part of their routine effort to confirm that machine-vote totals equal the totals in poll books
• An "F2 key" was not punched when elections workers set up the vote-counting machines prior to Tuesday's election, Wyman said.
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Paper Trail Problems
• Clark County, NV (Las Vegas) + Reno
• 5 machines at a Reno polling place malfunctioned at the same time due to a failure to change paper. The problem backed up lines and caused the site to stay open until about 10 p.m., three hours past closing.
• In Reno, at least two voters complained that their votes were erroneously recorded. Machines, which resemble ATMs or computers, began to work again after they were shut down and restarted.
• Two machines malfunctioned at separate polling places in Las Vegas.
• Audits of random machines to be completed by all 17 Nevada counties by Tuesday.
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
110
Electronic votingElectronic votingPoll site voting, no networking
Already in use today in the form of Direct Recording Electronic (DRE) machines
Poll site voting via networked voting machines
Poll site voting via networked PCs
Kiosk voting - voting via networked PCs or voting machines at kiosks, not necessarily at traditional polling places
Vote from home (or anywhere else)
111
Enthusiasm for evoting Enthusiasm for evoting growinggrowing
Despite increasing realization of problems
Technology solves all sorts of other problems, why not voting?
People like the vision of voting in their PJs
Belief that evoting will increase voter turnout
Internet Voting
• Where?– Polling place– Kiosks– Home– Anywhere
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Internet Voting Benefits
• Convenience– Accessibility in all weather, all ages– Vote anywhere, maybe even from cellphone– Availability of candidate information
• Maybe lower operating cost (maybe not)– if regular polling places are eliminated
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Internet Voting Risks
• Digital divide– People without Internet access– People without computer skills
• Security, trust• Casual environment• Open to the world
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Internet Voting Security Risks• Bugs• Backdoors to manipulation• Malicious code• COTS (Commercial Off-the-Shelf Software), e.g. Windows, may contain
exploits• Insider attacks
– Compromising results– Compromising privacy
• Client attacks– Operator (for Internet cafes)– Worms, viruses, ActiveX, spyware
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Internet Voting Security Risks
• Denial of Service– DDOS attacks on server– Selective disenfranchisement
• Spoof websites– Fake “official” site – captures voting credentials, issues fake
acknowledgement, then casts real vote differently• Promotion of coercion
– Automated credential-selling– Installation of watcher software
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
117
Gauging election risks and Gauging election risks and threatsthreats
Risks and threats vary depending on:Type of election (public vs. private)Consequences of a successful attackValue of election outcome to potential
adversariesExpertise, skill & resources needed to
disruptLevel of motivation of potential attackersAmount of disruption needed to sway the
election or call its outcome into doubtConsequences of a perception of unfair
outcome
118
Internet voting in public Internet voting in public electionselections Social issues:
Vote coercionVote saleVote solicitation (click here to vote, banner ads)
Technical issues:Securing the platformSecuring the communications channel Assuring availability of the networkRegistration issues, one vote per person, no
dead votersAuthentication in each directionMaintaining equitable costs (no poll tax, e.g.
smartcard reader)
Can cryptography help?
• Yes – using “mix-nets” (Chaum) and “voter-verified secret ballots” (Chaum; Neff)
• Official ballot is electronic not paper.• Ballot is encrypted version of choices.• Ballots posted on public bulletin board.• Voter gets paper “receipt” so she can:
– Ensure that her ballot is properly posted– Detect voting machine error or fraud
SOURCE: RON RIVEST
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Voter needs evidence
• That her vote is “cast as intended”:• That her ballot is indeed encryption of her
choices, and what her ballot is.This is extremely challenging, since
She can’t compute much herselfShe can’t take away anything that would allow her to prove how she voted
• So: she takes away evidence that allows her (as she exits polling site) to detect whether cheating occurred, and receipt to prove what her ballot is.
SOURCE: RON RIVEST
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
Everyone needs evidence
• That votes are “counted as cast”:• That mix-servers (“mixes”) properly permute
and re-encrypt ballots.This is challenging, since
Mixes cannot reveal the permutation they applied to ballots
• That trustees properly decrypt the permuted ballots
This is relatively straightforward, using known techniques.
• This is “universal verifiability”SOURCE: RON RIVEST
17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS
122
Voter’sPrivate Key
Tallier’sPublic Key
Voter’sPublic Key BALLOT
Tallier’sPrivate Key
Vote
r
Talli
er
Valid
ato
r
Tallier and validator can collude to violate privacyBALLOT
A Simplistic Voting ProtocolA Simplistic Voting Protocol
123
SensusSensus A design and prototype implementation of an
electronic voting system
Based on Fujioka, Okamoto, Ohta (FOO) protocol
Implemented in C and Perl on a Unix system
This is one example of the many electronic voting protocols
References Fujioka, A, Okamoto, T., and Ohta, K. A practical secret
voting scheme for large scale elections. In Advances in Cryptology - AUSCRYPT '92, Springer-Verlag, Berlin. 1993, pp. 244-251.
Cranor, L. and Cytron, R. Sensus: A Security-Conscious Electronic Polling System for the Internet. Proceedings of the Hawai`i International Conference on System Sciences, January 7-10, 1997, Wailea, Hawai`i, USA. http://lorrie.cranor.org/pubs/hicss/
124
Blind SignaturesBlind SignaturesAllow someone to sign a document
without knowing what they are signing
Like signing the outside of an envelope with carbon paper and a document inside
125
Blind SignaturesBlind Signatures All arithmetic is mod n
Blinding (performed by voter): choose a random blinding factor r compute and present for signing: m x re where m is the
message, e = encryption (public) key
Signing (performed by validator): compute ( m x re )d d = decryption (private) key this is equal to r x md
Unblinding (performed by voter): compute r x md /r = md
126
The Sensus Polling ProtocolThe Sensus Polling ProtocolPollster - the user’s agent - trusted by
user
Validator - validates ballots (without seeing content of ballots)
Tallier - counts validated ballots and reports results (without knowing which voter voted which ballot)
Registrar - registers voters
127
The Pollster prepares the The Pollster prepares the ballotballot
Presents ballot questions to user and records answers
Generates key pair and seals ballot
Blinds sealed ballot
Signs blinded, sealed ballot
128
Validator Pollster Tallier
• blinded, sealed ballot• ID number• signature
1
The Sensus Polling ProtocolThe Sensus Polling Protocol
129
Validator Pollster Tallier
1
• signed, blinded, sealed ballot
2
The Sensus Polling ProtocolThe Sensus Polling Protocol
130
Validator Pollster Tallier
1
2
• sealed ballot, signed by validator
3
The Sensus Polling ProtocolThe Sensus Polling Protocol
131
Validator Pollster Tallier
1
3
2
• sealed ballot, signed by tallier• receipt #
4
The Sensus Polling ProtocolThe Sensus Polling Protocol
132
Validator Pollster Tallier
1
4
3
2
• receipt #• key to unseal ballot
5
The Sensus Polling ProtocolThe Sensus Polling Protocol
134
Sensus assumptionsSensus assumptions Communication occurs over an anonymous
channel
Machines (along with secrets on them) are secure (including users’ machines!)
Messages are not likely to arrive at validator and tallier in the same order
Strong encryption
Election is not disrupted due to denial of service attacks, power outages, etc.
Can we count on these assumptions to be true?
135
Even if these assumptions holdEven if these assumptions holdIf voters abstain, validator may
submit ballots for themThese invalid ballots may be detected,
but not corrected
Voters can prove how they voted (and sell their votes)
Only weak verifiability (voters can verify their votes but not third-party)