In response to my recent post regarding open-audit voting, Ronald Crane expresses a number of doubts regarding cryptographic auditing of elections, concluding “I don’t see that crypto voting solves much.” I am responding in detail here because Ronald is deeply misinformed. There are certainly points regarding open-audit techniques that merit in-depth discussion, but the points Ronald brings up are precisely those where cryptographic auditing shines, and it’s important to correct these misunderstandings quickly.
First, they are not proof against many presentation attacks (e.g., dropping candidates from the ballot, rearranging the ballot, modifying the headers between races, modulating the sensitivity of the touch-screen to make it more difficult to select certain candidates…)
Let’s assume for a second that this is true. It turns out that every current voting system, be it opscan, touch-screen, punchcard, etc… is vulnerable to these kinds of issues. Ronald may be using this argument to promote hand-counted paper ballots. Sadly, hand-counted paper ballots are completely unworkable in large precincts, and they’ve been shown time and time again to be extremely unreliable because, sadly, humans don’t count things very well.
But even if you’re not convinced and you cheer for hand-counted paper ballots, it turns out that Ronald’s claim is actually not true to begin with: open-audit voting systems can do better than anyone else on this front. Consider Benaloh’s latest “Simple Cryptographic Voting”, where he proposes splitting the ballot preparation machine from the ballot casting machine. This is a bit like the machines that help you mark an opscan ballot if you need audiovisual help, except in Benaloh’s approach, the machines help you prepare an encrypted ballot. The beauty of the Benaloh scheme is that you don’t need to authenticate the user at the time of ballot preparation, only at ballot casting time. In other words, you can let the ballot preparation machines be used by voters multiple times if they so choose, e.g. if they’re not happy about their previous experience for whatever reason. Even more interesting, you can weave auditors into the mix, letting them use the ballot preparation machines as much as they want during election day. Think of it: ACLU reps, party reps, all intermingled with voters, testing the ballot preparation machines live, flagging any calibration issue, presentation issue, etc…. It’s extremely powerful, especially since it doesn’t require any extra work from the voter.
In other words, open-audit voting systems have such flexibility that they can, in fact, be far superior to other voting systems regarding ballot presentation issues and machine input biases.
nor against delay- or denial-of-service attacks.
All voting systems are vulnerable to delay and denial of service… except with cryptographic auditing, you actually know who got denied: Alice’s encrypted vote doesn’t show up on the bulletin board, even though she has a receipt and there is a record of her voting. This is yet another area where cryptographic auditing shines: while you can never prevent denial-of-service, with cryptographic auditing, you can detect and remedy it.
Ronald: you really need to check out the schemes in detail, in particular the part about the public bulletin board, which lets you know exactly whose votes are being counted. There’s no “black box” in open-audit voting, it’s all out in the open, which means that any such process attack is visible to all observers.
Second, though they might (or might not) be proof against vote-flipping attacks, they are not proof against vote-cancellation attacks. In such an attack, the attacker programs the machine to generate a corrupted electronic record of her vote, along with a matching cryptographic receipt.
Okay stop. This is very very wrong. The whole point of the cryptographic receipt is that this exact situation cannot happen. Ever. Not in a million years. No one can fake this proof. That’s mathematically proven. And I don’t mean “it’s safe as long as factoring large numbers is hard.” I mean it’s safe as long as you agree that it’s incredibly unlikely that I’m going to win the lottery every day for the next 10 years.
So, if a machine fakes a proof, and the receipt is checked, it will get caught. Always. It then takes a very small percentage of receipt auditing to catch a cheating machine, and a cheating machine is immediately investigated forensically. Since we can easily trace who cast a vote on that machine, all of those votes’ proofs can be checked, and those voters whose proofs don’t check out can actually revote.
Yes, that’s right, an open-audit voting system actually lets you detect what went wrong, and have only those people whose votes were miscaptured revote.
When the votes are tallied, the corrupt record will either not decrypt to anything sensible, or will decrypt, but will contain a bad signature (depending on the crypto scheme). Now it doesn’t matter whether the voter checks the tally, since both her electronic record and her receipt are corrupt.
Again, in crypto voting schemes, this is impossible. Ronald seems to think the receipt is like a Fedex tracking number, where the back-end database might simply not have a record for your receipt. This is incorrect. Your receipt proves that your vote was correctly captured, no matter how the machine is programmed. You don’t have to trust the program, the proof is in your interaction with the machine.
There are some schemes in which it is indeed possible that a vote would end up “corrupt” if the machine is cheating. But again, if that happens, it’s fully visible to all, and fully traceable back to the machine in question. Such a corrupt vote can only result from machine error, not the voter’s error, so it’s absolutely not a vote cancellation attack. If such a corrupt vote is detected, heads will roll, people will go to jail, and the few people affected will easily be able to revote. The big point to remember here is: open-audit means anyone can audit. Mistakes cannot hide, errors are attributed to the guilty party, and recovery is very doable.
Now let’s assume that the attacker corrupted enough records to theoretically flip the election. What do the officials do? Write it off as a “glitch” and certify the election, as is all too common with existing e-voting systems? Order a forensic investigation that concludes long after the fact, long after the attacker’s program has erased itself, and long after the election has been certified? Order a re-vote?
So again, the presumption that the attacker can corrupt votes is simply false. But even if, somehow, the attacker manages to do this, and there do appear to be corrupted votes at the end of the day. Then what? Well, again, with cryptographic voting schemes, everything is traceable. You can trace those corrupt votes back to the name of the voter (with agreement of all trustees of course, not everyone can do this), figure out which machine they voted on, begin a serious forensic investigation, and recover only those votes that need recovering.
The Take-Away Message
Ronald’s message implies that there are certain voting systems which never suffer from the problems he mentions: corrupt votes, evil voting machines, stuffed ballot boxes, destroyed ballot boxes, etc…. This is obviously false. All voting systems can be attacked. The difference is that when an open-audit system is attacked, everyone sees it, the attack can be traced and localized, the guilty people get caught for sure and the problem can be remedied with the most minimal intervention. In any other system, you’re lucky to even detect the problem, and, even if you do, what can you do? 300 extra paper ballots in the ballot box? How can you recover? Impossible.
Cryptographic auditing is not about having trusted machines produce extra signatures that can be checked only if all goes well. It’s about having untrusted machines be forced to prove mathematically that they did the right thing. No software needs to be trusted. The beauty of the latest schemes, such as Benaloh’s, is that the checking can be done entirely by political parties and activist organizations: voters don’t need to do anything more than vote, get a receipt, and either check it themselves or hand it to a trusted helper who can check it for them.
Ronald’s points show a deep level of misinformation, which is unfortunate. I’m going to continue to work on clarifying the message regarding open-audit voting with cryptography. There are valid issues to address regarding open-audit voting techniques (are they usable enough? Are they deployable? What laws would have to change?), but the points Ronald raises are incorrect.