
Verifiable Voting: A Primer - rusbus
https://rcoh.me/posts/verifiable-voting-primer/
======
honoredb
This is a nice explanation and a cool solution. I amused myself a bit ago by
trying to come up with a solution for these two constraints without reading
about the crypto work, and ended up with something different. In my scheme, a
voter casts a vote for a candidate and gets a receipt with the UUID of the
vote, which is simply mapped to the candidate so that they can verify it
online later. However, the voter can also cast any number of additional
ballots, which are constrained by the system to be pairs of votes and anti-
votes, each for the same candidate, and get receipts for each. For example, I
support Harker, but I've been paid to vote for Dracula. I go into the voting
booth and cast my vote for Harker, getting Receipt 1. Then I press an extra
button to cast a fake vote for Dracula, and get Receipts 2 and 3, with 3 being
a special negative ballot. I can show Receipt 2 to my briber, who can verify
that it corresponds to a vote for Dracula. But secretly, I can use Receipt 1
to check that my vote for Harker was counted correctly, and Receipt 3 to see
that a negative vote was also cast for Dracula, cancelling out my bribed vote.

You need to allow each voter to cast multiple fake votes, otherwise the
briber/coercer could simply demand receipts for a fake vote in addition to the
real ones. Could get a bit unwieldy. But the big advantage is that there's no
extra complexity for the average voter, since they don't need to cast any fake
votes.

~~~
fooyc
The machine could give the same UUID to different voters:

\- Voter 1 votes for Harker

\- Voter 2 votes for Harker, gets the same UUID. The machine casts a vote for
Dracula instead

It could also cast any number of fake/counter votes without the voter knowing.

~~~
deegles
You make the ID be a hash of a UUID and the voter’s name.

~~~
amluto
That allows proving who cast which vote. Instead, you could generate the ID
when the vote is cast using a coin flip protocol.

Some effort would be needed to create an actual proof that the coin flip
protocol doesn’t allow the voter to generate any sort of proof that they
participated in the coin flips. I think the usual schemes do have this
property (at least, they do if the parties don’t collide), but I haven’t seen
this specifically proven.

------
smitty1e
Locally, where I serve as an election officer, we

\- check in

\- fill out a bubble sheet

\- scan it

\- declare vict'ry

Complex schemes are great intellectual exercises.

Just understand that perfection is unattainable.

We need _enough_ automation for speedy reporting, without losing the secret
ballot.

But the temptation to fetish technology past the point of diminishing returns,
too, is a bugaboo.

KISS.

~~~
mlyle
I like this scheme because it's a similar complexity to existing voting
protocols at the polling place.

You fill in a bubble sheet, scan it, throw away half the ballot and take the
other half as a receipt.

Later the user can prove their vote, but only to the election authority.

~~~
smitty1e
You may not want to leave the polling place with any physical evidence of how
you voted.

\- a bad actor may lean on you about it

\- recounts will be ridiculously costly

\- a suitable ballot will be expensive to produce

When one considers _all_ of the privacy/usability ramifications, just

\- casting the ballot

\- hearing a 'thunk' inside the DS200 machine

\- having zero connecting information

. . .is more or less optimal.

~~~
mlyle
> You may not want to leave the polling place with any physical evidence of
> how you voted.

> \- a bad actor may lean on you about it

Except the scheme precludes it. Have you just not read this?

> \- recounts will be ridiculously costly

This has some implications for recounts, but I don't think anything fatal or
complicated.

> \- a suitable ballot will be expensive to produce

The ballots I use currently have a perforated receipt, just not arranged in
the way suggested. Yes, it may have slightly longer perforation, I guess...

~~~
smitty1e
> Except the scheme precludes it. Have you just not read this?

Scheme or no scheme: if there is information, it will leak.

~~~
mlyle
I suggest you read the document and maybe learn about the math involved.

The stuff the voter keeps cannot be used to prove anything except that the
voter's vote is in the count.

~~~
smitty1e
For a more thorough review, two points:

\- This is a mathematically elegant approach, and the author is to be
commended.

\- The legal challenges impeding implementation would be staggering.

> "Each ballot has a randomized order – this means that a right-hand ballot
> alone can’t reveal who the vote was cast for."

This may be legally possible in some areas, but none with which I'm familiar.
The ballot has to be known and printed weeks in advance of the election. The
costs are already huge. Managing randomized hard-copy ballots is going to be a
tough sell.

There's just a bit more afoot here than (admittedly splendid) abstract
mathematical exercises.

~~~
rusbus
This is actually addressed -- votes can be made on a computer where ballot
options are ordered then printed on a receipt in the same ballot format but
with randomized order.

~~~
smitty1e
Again: great tech.

Please understand: a large number of people want a printed, paper ballot.
Excellent though the mathematical architecture may be, the fish don't want no
bicycles.

------
vowelless
This primer misses the point that elections should be easy to participate in.
The voters should need the ability or knowledge about encryption to
participate. Otherwise it discriminated against voters from many historically
underprivileged backgrounds.

And the same goes for the people helping conduct the election. The ones who
have to help with counting. I would rather have anyone above the age of 18 be
able to count the votes without trusting corporations or complex open source
programs. Let the community leaders and volunteers in under privileged parts
of the country be able to simply count the votes. Otherwise we shut them out.

Just my two cents. Well written post though.

~~~
rusbus
Pret a Voter _is_ easy to participate in. If you don't want or care about
helping verify the results, you just vote in a pretty normal way, end of
story.

I've updated the post in a few places to help clarify this.

~~~
iudqnolq
Exactly. Many consider ordinary voters caring about and helping in verifying
the result an important aspect of democratic voting. If people don't
understand the vote will be counted fairly, they may be more likely to decide
there's no point participating in their democracy.

Especially because most people can understand at a visceral level why all
paper ballots are fair, why over complicate what isn't broken?

------
amflare
I still don't get it. The ballot is effectively a pivot between the voter and
the result. You can't just disconnect this without sacrificing the integrity
of the system. If you scramble it so that the vote and the ballot are
disconnected, there is no way to prove the results are valid. And if you
disconnect the voter from the ballot, you can make up all the votes you want.

But let's say the Input->Output is reproducible all the time with no chain
between the voter and the result. You /still/ have no way to ensure that the
checkbox corresponded with the name, and that you cast the vote you think you
did. Perhaps this is outside the scope of the article, but its a fairly
glaring deficiency.

Perhaps I'm misunderstanding. But all you can tell with this system is that
"your" ballot went into the magic box and a (presumably reproducible) result
came out the other side.

~~~
rusbus
I think you're saying that you don't understand how mixnets guarantee
integrity -- if that's incorrect, I apologize. Mixnets allow you to verify
that the data in is _identical_ to data out (modulo the salts) that serve an
anonymize the data. It isn't just reproducible, but verifiable. The results
coming out the other end are the final decrypted ballots which anyone can
count and verify the totals.

You can't know which final ballot was your vote, but you can know that your
ballot was in the mix coming in, and that the mix going out wasn't altered
(within some probabilistic bounds).

~~~
amflare
> Mixnets allow you to verify that the data in is _identical_ to data out
> (modulo the salts) to make it so that data an anonymized.

I think this is the part I don't understand. Partly because I don't know
anything about mixnets, and it feels like its paradoxical. But if that's how
it is, then I can accept it.

------
maxfan8
> There several different verifiable voting systems that have been conceived
> of – I’ll be describing a system called Prêt à Voter (the only one, to my
> knowledge, that’s been used in a real election).

This is not true. Scantegrity was an excellent voting system implemented in a
real, binding US election. It is also (relatively) easy to use and requires
little modification to a traditional ballot-based voting system.

[https://www.chaum.com/publications/Scantegrity-II-
Municipal-...](https://www.chaum.com/publications/Scantegrity-II-Municipal-
Election-at-Takoma-Park-the-first-E2E-Binding-Governmental-Election-with-
Ballot-Privacy.pdf)

~~~
rusbus
Thanks! I've added a reference to Scantegrity to the post. Interestingly,
Scantegrity is just a front-end -- you still need something like mixnets to
actually count the votes.

------
nemetroid
A nice article with a great sense of when to hand-wave (and to acknowledge
that hand-waviness)...

...and a good argument as to why paper ballots are still the best known voting
system. Every other proposed solution is too complex.

------
Buttons840
> Next, we need to actually count the ballots in a way that can be verified.
> The key idea is that the ballots are shuffled in a way that we can be sure
> that no individual vote has been changed, but we don’t know which input vote
> corresponds to which output vote....

This confuses me. Is it difficult to shuffle the paper ballots without
changing votes? Are we concerned that the ink my be moved from one circle to
another circle or something?

~~~
rusbus
The encrypted ballots are all public and it isn't assumed they they're
anonymous (eg. it's safe to post a picture of your RHS ballot on Facebook).

If we just directly decrypted them and published the results, they would allow
someone to prove who they had voted for.

So instead, we shuffle them to anonymise them, then decrypt them to avoid
being able to link an encrypted input vote to an output vote.

------
KerrickStaley
How does this system protect against ballot stuffing? It seems to have a
mechanism for voters to verify that their ballots were counted, but no
mechanism for the public to verify that counted ballots correspond to real
voters.

~~~
Spivak
I don’t think any cryptographic system can actually accomplish this because
the problem spills into meatspace.

A 3rd party could verify each person then sign each vote but then that 3rd
party can mint valid votes. And if you have a trusted 3rd party then why do
you need a complicated voting system?

------
ryanobjc
Election security should be transparently understandable to nearly everyone or
else there'll be mistrust in the system.

At this point, paper ballots, and human processes are the best hope in
America.

------
specialist
Quickly scanned article.

Doesn't account for the data leaks caused by ballot processing, which
eliminate the secret ballot.

With paper ballots cast at poll sites, voters sign prior to being issued a
ballot. This order is preserved (in the elections I'm familiar with). With the
Australian Ballot, dropping the ballot into the box is the secure one-way hash
which (mostly) anonymizes the ballots.

With postal ballots, even more care is required. Returned ballots arrive in
bins. So its very likely that your ballot is the only one from your precinct
in that bin. Making it trivial to tie that ballot back to you. The mitigation
is to sort ballots by precinct prior to processing. Which is not easy or
feasible, because ballots are generally processed as they arrive. This loss of
secrecy is quite surprising to first time observers to how an election board
works to certify elections.

\--

Source: Burned out election integrity activist. I actually got some minor laws
and procedures changed. Plus poll worker, judge, observer for about a decade.
It took me _forever_ to get up to speed on election administration and I'd say
I know maybe 20% of what I'd need to know to do the job. There are so many
nooks and crannies, and it's always changing, and every where has its own
quirks. Meaning election administration is surprisingly difficult and arcane.
So it's very hard to have casual constructive conversations about this stuff.

\--

PS- Chewing on this article a bit more more. Two things.

#1

Huge shout out for this point:

 _" 5) The salt is crucial for ballot secrecy – since there a finite number of
permutations of the ballot, without it, an adversary could determine the
contents of a vote simply by enumerating possible ballot permutations and
matching the resulting cipher texts."_

THANK YOU!

This is so hard to explain. Especially to crypto advocates.

Back when I studied the available crypto voting systems, manually simulating a
real world election, I stumbled upon this realization.

Any one advocating a new voting system HAS to clearly state the operating
parameters, assumptions. Number of voters, precincts, contests per ballot,
etc. And be very clear for when their system NO LONGER WORKS.

#2

This article does mention shuffling. I'll admit that I haven't followed the
advances this last decade. I'd want to verify that "shuffling" is one-way
(irreversible) and not simply hashing (hash collisions).

No one will be happier if someone figured out how to preserve private voting,
public counting (Australian Ballot).

