A Modular Vot ing Archit ect ure (Frogs) Shuki Bruck (CalTech) - - PowerPoint PPT Presentation

a modular vot ing archit ect ure frogs
SMART_READER_LITE
LIVE PREVIEW

A Modular Vot ing Archit ect ure (Frogs) Shuki Bruck (CalTech) - - PowerPoint PPT Presentation

Mar 16, 2023 43 likes •274 views

A Modular Vot ing Archit ect ure (Frogs) Shuki Bruck (CalTech) David J ef f erson (Compaq) Ronald L. Rivest (MI T) (WOTE, August 28, 2001) Out line ! Moving f rom paper " elect ronic ! Vot ing wit h f rogs ! Advant ages of f

slide-1
SLIDE 1

A Modular Vot ing Archit ect ure (“Frogs”)

Shuki Bruck (CalTech) David J ef f erson (Compaq) Ronald L. Rivest (MI T)

(WOTE, August 28, 2001)

slide-2
SLIDE 2

Out line

!Moving f rom paper " elect ronic !Vot ing wit h f rogs !Advant ages of f rogs !Securit y !Conclusions

slide-3
SLIDE 3

What ’s next in vot ing?

!We propose a pract ical vot ing syst em

f or t he near t erm (2004?) t hat

– moves f rom paper t o elect ronic – emphasizes and st andardizes a clean separat ion bet ween “vot e generat ion” and “vot e cast ing” component s (f or many good reasons). – uses digit al signat ures t o wit ness “vot es cast ”

slide-4
SLIDE 4

Where are we now? Op-scan

!Ballot s are print ed bef orehand. !On elect ion day, vot er:

– I dent if ies himself – Receives ballot – Fills out ballot (“vot e generat ion”) – Cast s ballot (“vot e cast ing”)

!Ballot s scanned; result s t abulat ed. !Problems: UI , print ing and st orage

cost s, scanning accuracy, securit y.

slide-5
SLIDE 5

Move f rom paper t o elect ronic?

!Preserve “vot ing experience” !Paper ballot " elect ronic “f rog”

(t erm int ended t o be neut ral as t o t echnology)

!Frog might be “dumb” f lash memory

card (4K byt es) wit h “f reeze” (lock) capabilit y. (No sof t ware on f rog t o validat e/ cert if y!)

slide-6
SLIDE 6

Vot ing wit h Frogs: (1) Sign-in

!Vot er ident if ies himself t o

pollworker.

!Pollworker t akes blank f rog, and

“init ializes” it . (Elect ion specif icat ion, ballot st yle writ t en on f rog.)

!Pollworker gives f rog t o vot er.

slide-7
SLIDE 7

(2) Vot e Generat ion

!Vot er insert s f rog int o “vot e

generat ion” equipment .

!Vot e generat ion equipment reads

ballot st yle, provides superb UI f or vot er t o indicat e his select ions.

!Vot ers select ions are writ t en ont o

f rog in a st andard f ormat .

!Vot er removes f rog.

slide-8
SLIDE 8

(3) Vot e-cast ing

!Vot er insert s his f rog int o vot e-

cast ing equipment .

!Vot er sees f rog cont ent s displayed. !I f vot er pushes “Cast ” but t on:

– Frog is digit ally signed; same signing key(s) used f or all vot es. – Frog is f rozen and deposit ed in f rog bin. – Elect ronic copy(s) of vot e " st orage.

!Else f rog is ret urned and vot er goes

back t o (2) vot e generat ion.

slide-9
SLIDE 9

(4) Web post ing/ Tabulat ion

!Once elect ion is over, elect ion

  • f f icials f or each precinct post on

Web, as separat e, unmat ched list s in random order:

– Names of all vot ers who vot ed. – All cast ballot s (wit h digit al signat ures)

!Everyone can verif y signat ures on

ballot s, and comput e t ot al.

slide-10
SLIDE 10

Advant ages of f rogs

!Elect ronic: no “scanning errors” !Frogs can be kept as “physical audit

t rail” af t er elect ion.

!No print ing cost s: f rogs can be

purchased “blank” in bulk (20 cent s?)

!Frogs can be st ored compact ly (size

  • f business card?)

!Frog can be “f rozen” when cast

making it “read-only” (unmodif iable).

slide-11
SLIDE 11

Advant ages of f rogs

!Frogs are digit al: so t hey are

compat ible wit h crypt ography (e.g. digit al signat ures).

!Frog is j ust a carrier f or a digit al

represent at ion of ballot ; t echnology can evolve while keeping underlying dat a f ormat s const ant (our proposal is t echnolgy-neut ral).

slide-12
SLIDE 12

St andardized Frog Format

!This may be t he most import ant part

  • f our proposal:

St andardize t he f ormat

  • f elect ronic ballot s !!!

!St andard dat a f ile f ormat :

header + one line/ race, st andard charact er set (UTF-8).

!This should be vigorously pursued,

independent of whet her t he rest of

  • ur proposal is adopt ed.
slide-13
SLIDE 13

St andardized Frog Format

Massachusetts, Middlesex County, Precinct 11 Election Closes November 7, 2004 at 8pm EST Ballot: MA/Middlesex/1; English; No rotation Ballot Initialized by Election Official 10 You have chosen: U.S. President: Mary Morris U.S. Vice President: Alice Applebee Middlesex Dog Catcher: Sam Smith (write-in) Proposition 1 (Casino): FOR Proposition 2 (Taxes): AGAINST Proposition 3 (Swimming Pool): FOR Proposition 4 (Road Work): NO VOTE

slide-14
SLIDE 14

St andardized Frog Format

!I s bot h human and machine-readable. !Provides a clean int erf ace bet ween

vot e-generat ion (f rog-writ ing) and vot e-cast ing (f rog conf irmat ion/ f reezing / deposit ing).

!Allows dif f erent manuf act urers t o

build dif f erent vot e-generat ion equipment (varying UI ’s) compat ible wit h same vot e-cast ing equipment .

slide-15
SLIDE 15

Securit y

!I n near t erm, t he only t rust wort hy

equipment available t o vot er will be t hat provided by elect ion of f icials. (PC’s/ handhelds/ phones all vulnerable. Thus, no individual digit al signat ures, and no vot ing f rom home.)

!I n ef f ect , vot e-cast ing equipment is

“proxy” f or vot er in elect ronic vot ing scheme.

slide-16
SLIDE 16

Securit y

!A secure syst em needs t o be simple.

Very simple. Very very simple.

!A good user int erf ace is complex.

Quit e complex. Really very complex.

!I t f ollows t hat t he sophist icat ed

user int erf ace should be separat ed f rom t he securit y-crit ical component s.

slide-17
SLIDE 17

What is most securit y-crit ical?

!Vot e-cast ing, wherein vot er

– Conf irms t hat his select ion are recorded accurat ely, – Of f icially cast s his recorded select ions.

!This operat ion needs t o be

except ionally t rust wort hy.

!Wit h elect ronics, records are

indirect ; vot er is much like a blind man vot ing wit h someone’s assist ance.

slide-18
SLIDE 18

Vot e-Cast ing: t he crit ical inst ant

From “Bob’s vot e” To “anonymous vot e”

slide-19
SLIDE 19

Vot e-cast ing equipment should:

!Display exact ly and complet ely

what ever is in f rog.

!Be st at eless (no t est / real modes!) !For cast vot e, digit ally sign what ever is

in f rog, using one key (elect ion of f icial)

  • r more (polit ical part ies t oo).

!Send copies of cast vot es " st orage

unit s.

!Be open source. !Be long-t erm purchase.

slide-20
SLIDE 20

Vot e-generat ion equipment :

!I s less securit y-crit ical. !May have propriet ary design/ code. !Has less st ringent cert if icat ion

requirement s, and so can evolve more quickly wit h t echnology.

!May be leased rat her t han purchased.

slide-21
SLIDE 21

Not es:

!Anonymit y up t o precinct level; should

be OK.

!Writ e-ins might be handled by

“split t ing” int o writ e-in/ non-writ e-in component s t o preserve privacy.

!Provisional ballot s can be handled as

  • usual. (Put aside in envelope.)

!Vot er may prepare ballot at home and

bring it t o poll-sit e f or f inal edit ing/ cast ing.

slide-22
SLIDE 22

Conclusion

We have present ed a pract ical proposal f or a modular archit ect ure f or near- t erm pollsit e vot ing t hat can achieve a high degree of securit y while simult aneously enabling innovat ion.

slide-23
SLIDE 23

(The End)