Scantegrity

Last updated
Part of the Politics series
Voting
Vote icon.svg
Balloting
Ballots
Candidates and Ballot measures
Collection
Counting
Electoral systems
Plurality and majoritarian systems
Proportional and semi-proportional systems
Mixed-member systems
Voting strategies
Protest votes
Voting patterns and effects
Protest votes
Electoral fraud and prevention
Prevention
A coloured voting box.svg Politicsportal

Scantegrity is a security enhancement for optical scan voting systems, providing such systems with end-to-end (E2E) verifiability of election results. It uses confirmation codes to allow a voter to prove to themselves that their ballot is included unmodified in the final tally. The codes are privacy-preserving and offer no proof of which candidate a voter voted for. Receipts can be safely shown without compromising ballot secrecy. [1]

Contents

Scantegrity II prints the confirmation codes in invisible ink to improve usability and dispute resolution. As the system relies on cryptographic techniques, the ability to validate an election outcome is both software independent as well as independent of faults in the physical chain-of-custody of the paper ballots. The system was developed by a team of researchers including cryptographers David Chaum and Ron Rivest.

Advantages

Optical scan voting systems produce an electronic tally, while maintaining the original paper ballots which can be rescanned or manually hand-counted to provide an ostensibly corroborative tally. However, the correctness of each of these tallies requires the voter to either trust that the software is error-free and has not been hacked, or that the physical chain-of-custody of the ballots has not been broken at any point. [2] Other E2E voting systems such as Punchscan and ThreeBallot, address these issues but require existing polling place equipment and procedures to be greatly altered or replaced. [3] In contrast, Scantegrity is an add-on meant to be used in conjunction with existing optical scan equipment, thereby requiring fewer hardware and software and procedural modifications. [1]

For all other voters, the ballot marking procedure is essentially identical to conventional optical scan paper-ballots. Similarly, the underlying system still produces both an electronic tally as well as a human readable paper trail through which manual recounts can still be conducted.

Method

Scantegrity II ballot and decoder pen. Left: Unmarked optical scan bubble. Right: Marked optical scan bubble revealing confirmation code "FY" Scantegrity II Ballot.jpg
Scantegrity II ballot and decoder pen.
Left: Unmarked optical scan bubble.
Right: Marked optical scan bubble revealing confirmation code "FY"

The Scantegrity II voting procedure is similar to that of a traditional optical scan voting system, except that each voting response location contains a random confirmation code printed in invisible ink. [4] The voter marks the location using a specially provided "decoder" pen, which activates the invisible ink causing it to darken, revealing a confirmation code. [5]

Voters wishing to verify that their vote is unmodified may write down the confirmation codes for each race on a detachable chit that contains the ballot's serial number. [6] Otherwise, the voter can simply ignore the code and continue to mark and cast their ballot as normal.

The confirmation codes are randomly assigned to the ballots, allowing voters to freely share their codes while keeping their votes secret. The codes are also pre-committed to a committee of mutually-distrustful entities (such as representatives of each political party) so that the confirmation codes cannot be changed or misprinted without detection. Voters may request additional ballots to audit—they ensure the ballots are properly printed by revealing all the codes and comparing these to the codes committed to.

Checking

After the election is finished, the election authority publicly posts a list of confirmation codes for the positions marked on each ballot it received. Voters who wrote down their codes can verify that the codes are correct for their ballot number and that no codes were added or removed. [6] If the posted record is incorrect, the voter may file a dispute. Spurious disputes can be excluded from consideration by comparing the claimed codes to the set of possible codes for a given contest on a ballot—the probability of randomly guessing a code that actually appeared on the ballot is low.

Verification

After the election, the trustees generate an independent tally from the voter-verifiable list of ballots and confirmation codes. Since the link between a confirmation code and the candidate voted for must remain secret, the tally is generated using an anonymity-preserving backend. Many such backends have been proposed for tallying votes, including the ones used by Punchscan and Prêt à Voter. Steps in the tally can be recalculated by anyone to ensure its correctness. For this reason, the system is more accurately described as mathematical voting than electronic voting. The security of the system does not require any software to operate correctly, only that the mathematical operations are independently corroborated by all interested parties. [7]

Use in public elections

The city of Takoma Park, Maryland used Scantegrity II for its November, 2009 election. [8] [9] Scantegrity was used again in Takoma Park for its November 2011 election.

Notes

  1. 1 2 Chaum, David; Aleks Essex; Richard T. Carback III; Jeremy Clark; Stefan Popoveniuc; Alan T. Sherman; Poorvi Vora (May–June 2008), "Scantegrity: End-to-End Voter Verifiable Optical-Scan Voting" (PDF), IEEE Security & Privacy, 6 (6:3): 40–46, doi:10.1109/MSP.2008.70, S2CID   1149973, archived from the original (PDF) on 2016-01-16, retrieved 2016-11-23
  2. Rowell, Laurie (March 2008), "Down for the Count", ACM NetWorker Magazine, no. 12:1, pp. 17–23, archived from the original on December 5, 2008
  3. Hunter, Adam (2008), "Click Here For President: The Future of Voting in America", MSN Tech & Gadgets, archived from the original on 2008-09-10
  4. Chaum, David; Richard Carback; Jeremy Clark; Aleksander Essex; Stefan Popoveniuc; Ronald L. Rivest; Peter Y. A. Ryan; Emily Shen; Alan T. Sherman (2008), "Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes" (PDF), Proceedings of USENIX/ACCURATE EVT
  5. Lafsky, Melissa (October 2008), "Protecting Your Vote With Invisible Ink", Discover Magazine
  6. 1 2 Mahoney, Matt (September–October 2008), "Flawless Vote Counts: Cryptography lets voters confirm that their ballots were tallied correctly", Technology Review
  7. Lombardi, Rosie (March 27, 2008), "Canadian voting machine enters American political machine", InterGovWorld.com, archived from the original on 2008-05-16
  8. Pilot Study of the Scantegrity II Voting System Planned for the 2009 Takoma Park City Election (PDF), archived from the original (PDF) on 2011-07-19
  9. Hardesty, Larry, "Cryptographic voting debuts" (PDF), MIT news, archived from the original on 2011-07-19, retrieved 2009-11-30

Further reading

Related Research Articles

<span class="mw-page-title-main">Invisible ink</span> Substance used for writing which is invisible and can later be made visible

Invisible ink, also known as security ink or sympathetic ink, is a substance used for writing, which is invisible either on application or soon thereafter, and can later be made visible by some means, such as heat or ultraviolet light. Invisible ink is one form of steganography.

<span class="mw-page-title-main">David Chaum</span> American computer scientist and cryptographer (born 1955)

David Lee Chaum is an American computer scientist, cryptographer, and inventor. He is known as a pioneer in cryptography and privacy-preserving technologies, and widely recognized as the inventor of digital cash. His 1982 dissertation "Computer Systems Established, Maintained, and Trusted by Mutually Suspicious Groups" is the first known proposal for a blockchain protocol. Complete with the code to implement the protocol, Chaum's dissertation proposed all but one element of the blockchain later detailed in the Bitcoin whitepaper. He has been referred to as "the father of online anonymity", and "the godfather of cryptocurrency".

A voting machine is a machine used to record votes in an election without paper. The first voting machines were mechanical but it is increasingly more common to use electronic voting machines. Traditionally, a voting machine has been defined by its mechanism, and whether the system tallies votes at each voting location, or centrally. Voting machines should not be confused with tabulating machines, which count votes done by paper ballot.

Electronic voting is voting that uses electronic means to either aid or take care of casting and counting ballots including voting time.

An electronic voting machine is a voting machine based on electronics. Two main technologies exist: optical scanning and direct recording (DRE).

Vote counting is the process of counting votes in an election. It can be done manually or by machines. In the United States, the compilation of election returns and validation of the outcome that forms the basis of the official results is called canvassing.

Voter verifiable paper audit trail (VVPAT) or verified paper record (VPR) is a method of providing feedback to voters using a ballotless voting system. A VVPAT is intended as an independent verification system for voting machines designed to allow voters to verify that their vote was cast correctly, to detect possible election fraud or malfunction, and to provide a means to audit the stored electronic results. It contains the name of the candidate and symbol of the party/individual candidate. While it has gained in use in the United States compared with ballotless voting systems without it, it looks unlikely to overtake hand-marked ballots.

A DRE voting machine, or direct-recording electronic voting machine, records votes by means of a ballot display provided with mechanical or electro-optical components that can be activated by the voter. These are typically buttons or a touchscreen; and they process data using a computer program to record voting data and ballot images in memory components. After the election, it produces a tabulation of the voting data stored in a removable memory component and as printed copy. The system may also provide a means for transmitting individual ballots or vote totals to a central location for consolidating and reporting results from precincts at the central location. The device started to be massively used in 1996 in Brazil where 100% of the elections voting system is carried out using machines.

<span class="mw-page-title-main">Elections in South Korea</span>

Elections in South Korea are held on a national level to select the President and the National Assembly. Local elections are held every four years to elect governors, metropolitan mayors, municipal mayors, and provincial and municipal legislatures.

<span class="mw-page-title-main">ThreeBallot</span> End-to-end auditable anonymous voting system

ThreeBallot is a voting protocol invented by Ron Rivest and Warren D. Smith in 2006. ThreeBallot is an end-to-end (E2E) auditable voting system that can in principle be implemented on paper. The goal in its design was to provide some of the benefits of a cryptographic voting system without using cryptographic keys.

Punchscan is an optical scan vote counting system invented by cryptographer David Chaum. Punchscan is designed to offer integrity, privacy, and transparency. The system is voter-verifiable, provides an end-to-end (E2E) audit mechanism, and issues a ballot receipt to each voter. The system won grand prize at the 2007 University Voting Systems Competition.

End-to-end auditable or end-to-end voter verifiable (E2E) systems are voting systems with stringent integrity properties and strong tamper resistance. E2E systems use cryptographic techniques that allow voters to verify their votes were counted as cast, without revealing which candidates a voter supported. As such, these systems are sometimes referred to as receipt-based systems.

An optical scan voting system is an electronic voting system and uses an optical scanner to read marked paper ballots and tally the results.

Prêt à Voter is an E2E voting system devised by Peter Ryan of the University of Luxembourg. It aims to provide guarantees of accuracy of the count and ballot privacy that are independent of software, hardware etc. Assurance of accuracy flows from maximal transparency of the process, consistent with maintaining ballot privacy. In particular, Prêt à Voter enables voters to confirm that their vote is accurately included in the count whilst avoiding dangers of coercion or vote buying.

The Voluntary Voting System Guidelines (VVSG) are guidelines adopted by the United States Election Assistance Commission (EAC) for the certification of voting systems. The National Institute of Standards and Technology's Technical Guidelines Development Committee (TGDC) drafts the VVSG and gives them to the EAC in draft form for their adoption.

Bingo voting is an electronic voting scheme for transparent, secure, end-to-end auditable elections. It was introduced in 2007 by Jens-Matthias Bohli, Jörn Müller-Quade, and Stefan Röhrich at the Institute of Cryptography and Security (IKS) of the Karlsruhe Institute of Technology (KIT).

Alan Theodore Sherman is an American computer scientist. He is a professor of computer science at University of Maryland, Baltimore County (UMBC), and director of the UMBC Center for Information Security and Assurance (CISA), and director of the UMBC Chess Program. Sherman is an editor for Cryptologia, and is a member of Phi Beta Kappa and Sigma Xi.

<span class="mw-page-title-main">Helios Voting</span>

Helios Voting is an open-source, web-based electronic voting system. Users can vote in elections and users can create elections. Anyone can cast a ballot; however, for the final vote to be counted, the voter's identification must be verified. Helios uses homomorphic encryption to ensure ballot secrecy.

<span class="mw-page-title-main">Electronic voting in the United States</span> Facet of American elections

Electronic voting in the United States involves several types of machines: touchscreens for voters to mark choices, scanners to read paper ballots, scanners to verify signatures on envelopes of absentee ballots, and web servers to display tallies to the public. Aside from voting, there are also computer systems to maintain voter registrations and display these electoral rolls to polling place staff.

Direct Recording Electronic with Integrity and Enforced Privacy (DRE-ip) is an End-to-End (E2E) verifiable e-voting system without involving any tallying authorities, proposed by Siamak Shahandashti and Feng Hao in 2016. It improves a previous DRE-i system by using a real-time computation strategy and providing enhanced privacy. A touch-screen based prototype of the system was trialed in the Gateshead Civic Centre polling station on 2 May 2019 during the 2019 United Kingdom local elections with positive voter feedback. A proposal that includes DRE-ip as a solution for large-scale elections was ranked 3rd place in the 2016 Economist Cybersecurity Challenge jointly organized by The Economist and Kaspersky Lab.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.