A Modular Vot ing Archit ect ure (Frogs) Shuki Bruck (CalTech) - PowerPoint PPT Presentation

A Modular Vot ing Archit ect ure (“Frogs”) Shuki Bruck (CalTech) David J ef f erson (Compaq) Ronald L. Rivest (MI T) (WOTE, August 28, 2001)

Out line ! Moving f rom paper " elect ronic ! Vot ing wit h f rogs ! Advant ages of f rogs ! Securit y ! Conclusions

What ’s next in vot ing? ! We propose a pract ical vot ing syst em f or t he near t erm (2004?) t hat – moves f rom paper t o elect ronic – emphasizes and st andardizes a clean separat ion bet ween “vot e generat ion” and “vot e cast ing” component s (f or many good reasons). – uses digit al signat ures t o wit ness “vot es cast ”

Where are we now? Op-scan ! Ballot s are print ed bef orehand. ! On elect ion day, vot er: – I dent if ies himself – Receives ballot – Fills out ballot (“vot e generat ion”) – Cast s ballot (“vot e cast ing”) ! Ballot s scanned; result s t abulat ed. ! Problems: UI , print ing and st orage cost s, scanning accuracy, securit y.

Move f rom paper t o elect ronic? ! Preserve “vot ing experience” ! Paper ballot " elect ronic “f rog” (t erm int ended t o be neut ral as t o t echnology) ! Frog might be “dumb” f lash memory card (4K byt es) wit h “f reeze” (lock) capabilit y. (No sof t ware on f rog t o validat e/ cert if y!)

Vot ing wit h Frogs: (1) Sign-in ! Vot er ident if ies himself t o pollworker. ! Pollworker t akes blank f rog, and “init ializes” it . (Elect ion specif icat ion, ballot st yle writ t en on f rog.) ! Pollworker gives f rog t o vot er.

(2) Vot e Generat ion ! Vot er insert s f rog int o “vot e generat ion” equipment . ! Vot e generat ion equipment reads ballot st yle, provides superb UI f or vot er t o indicat e his select ions. ! Vot ers select ions are writ t en ont o f rog in a st andard f ormat . ! Vot er removes f rog.

(3) Vot e-cast ing ! Vot er insert s his f rog int o vot e- cast ing equipment . ! Vot er sees f rog cont ent s displayed. ! I f vot er pushes “Cast ” but t on: – Frog is digit ally signed; same signing key(s) used f or all vot es. – Frog is f rozen and deposit ed in f rog bin. – Elect ronic copy(s) of vot e " st orage. ! Else f rog is ret urned and vot er goes back t o (2) vot e generat ion.

(4) Web post ing/ Tabulat ion ! Once elect ion is over, elect ion of f icials f or each precinct post on Web, as separat e, unmat ched list s in random order: – Names of all vot ers who vot ed. – All cast ballot s (wit h digit al signat ures) ! Everyone can verif y signat ures on ballot s, and comput e t ot al.

Advant ages of f rogs ! Elect ronic: no “scanning errors” ! Frogs can be kept as “physical audit t rail” af t er elect ion. ! No print ing cost s: f rogs can be purchased “blank” in bulk (20 cent s?) ! Frogs can be st ored compact ly (size of business card?) ! Frog can be “f rozen” when cast making it “read-only” (unmodif iable).

Advant ages of f rogs ! Frogs are digit al: so t hey are compat ible wit h crypt ography (e.g. digit al signat ures). ! Frog is j ust a carrier f or a digit al represent at ion of ballot ; t echnology can evolve while keeping underlying dat a f ormat s const ant (our proposal is t echnolgy-neut ral).

St andardized Frog Format ! This may be t he most import ant part of our proposal: St andardize t he f ormat of elect ronic ballot s !!! ! St andard dat a f ile f ormat : header + one line/ race, st andard charact er set (UTF-8). ! This should be vigorously pursued, independent of whet her t he rest of our proposal is adopt ed.

St andardized Frog Format Massachusetts, Middlesex County, Precinct 11 Election Closes November 7, 2004 at 8pm EST Ballot: MA/Middlesex/1; English; No rotation Ballot Initialized by Election Official 10 You have chosen: U.S. President: Mary Morris U.S. Vice President: Alice Applebee Middlesex Dog Catcher: Sam Smith (write-in) Proposition 1 (Casino): FOR Proposition 2 (Taxes): AGAINST Proposition 3 (Swimming Pool): FOR Proposition 4 (Road Work): NO VOTE

St andardized Frog Format ! I s bot h human and machine-readable. ! Provides a clean int erf ace bet ween vot e-generat ion (f rog-writ ing) and vot e-cast ing (f rog conf irmat ion/ f reezing / deposit ing). ! Allows dif f erent manuf act urers t o build dif f erent vot e-generat ion equipment (varying UI ’s) compat ible wit h same vot e-cast ing equipment .

Securit y ! I n near t erm, t he only t rust wort hy equipment available t o vot er will be t hat provided by elect ion of f icials. (PC’s/ handhelds/ phones all vulnerable. Thus, no individual digit al signat ures, and no vot ing f rom home.) ! I n ef f ect , vot e-cast ing equipment is “proxy” f or vot er in elect ronic vot ing scheme.

Securit y ! A secure syst em needs t o be simple. Very simple. Very very simple. ! A good user int erf ace is complex. Quit e complex. Really very complex. ! I t f ollows t hat t he sophist icat ed user int erf ace should be separat ed f rom t he securit y-crit ical component s.

What is most securit y-crit ical? ! Vot e-cast ing , wherein vot er – Conf irms t hat his select ion are recorded accurat ely, – Of f icially cast s his recorded select ions. ! This operat ion needs t o be except ionally t rust wort hy. ! Wit h elect ronics, records are indirect ; vot er is much like a blind man vot ing wit h someone’s assist ance.

Vot e-Cast ing: t he crit ical inst ant From “Bob’s vot e” To “anonymous vot e”

Vot e-cast ing equipment should: ! Display exact ly and complet ely what ever is in f rog. ! Be st at eless (no t est / real modes!) ! For cast vot e, digit ally sign what ever is in f rog, using one key (elect ion of f icial) or more (polit ical part ies t oo). ! Send copies of cast vot es " st orage unit s. ! Be open source. ! Be long-t erm purchase.

Vot e-generat ion equipment : ! I s less securit y-crit ical. ! May have propriet ary design/ code. ! Has less st ringent cert if icat ion requirement s, and so can evolve more quickly wit h t echnology. ! May be leased rat her t han purchased.

Not es: ! Anonymit y up t o precinct level; should be OK. ! Writ e-ins might be handled by “split t ing” int o writ e-in/ non-writ e-in component s t o preserve privacy. ! Provisional ballot s can be handled as usual. (Put aside in envelope.) ! Vot er may prepare ballot at home and bring it t o poll-sit e f or f inal edit ing/ cast ing.

Conclusion We have present ed a pract ical proposal f or a modular archit ect ure f or near- t erm pollsit e vot ing t hat can achieve a high degree of securit y while simult aneously enabling innovat ion.

(The End)