Page 15 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 15
The Witness-Voting System
7
Previous Work
4
The effective use of computing technology has been promoted by Saltman [19, 20]
9
and others for more than 40 years. The application of cryptography dates from
the early 80’s (Chaum [21]).
A well-known approach to improve election outcome trustworthiness is to add
auditing mechanisms 10 with the intent to preempt or at least resolve a dispute
regarding the proper casting and counting of votes. For example, to provide an
acceptably high confidence level that all ballots were counted as cast.
Auditing proposals usually differ in their methods as applied to electronic
voting and paper ballots. Particularly relevant to the use of computers [2, 8],
auditing should be understandable by voters.
A number of independent verification mechanisms and verification enhance-
ments, including voter-verified and universally-verifiable methods, have been
proposed for example by Cohen and Fischer [22], Benaloh [23], Mercuri [24],
Cramer and Franklin [25], Benaloh and Tuinstra [26], Gerck [14, 17, 18, 27],
Neff [28], Jakobsson, Juels, and Rivest [29], Kiayias and Yung [30], Mercuri and
Neumann [31], Chaum [32], Chaum, Ryan and Schneider [33], and Chaum et. al.
[34]. Other contributions include auditing systems for the software used in elec-
tions, for example from Garera and Rubin [35], as well as proposals calling for
using more-easily-auditable open-source software such as by Wyson [36], Kitcat
[37], and the Caltech/MIT Voting Technology Project [38].
Auditing should also allow recounting, to duplicate the result of an election.
The purpose of a recount is to correct or confirm the results. California, for ex-
ample, has mandated a 1% recount of all ballots automatically without payment
from a candidate. A recount, however, is critically flawed in terms of auditing if
only the same elements are counted again, since there is no independent source
to verify them (see footnote 10).
As reviewed in the next two sections, a common limitation in classical paper
ballot and electronic voting systems is in providing the needed audit capabilities
of voters and ballots while still satisfying voter privacy (election best practice
rules and US state laws require a secret ballot, see footnote 1).
In particular, voter-verified auditing should not cause a privacy violation prob-
lem. A voter who discovers an error ought not lose the privacy of voting in
the course of the demonstration of an inconsistency. The secret ballot require-
ment also fails for a voter-verified or universally-verified auditing method when
voter privacy is protected by trusting a quorum of verifiers or election operators,
with a threshold of collusion, as discussed in Section 7.1, under “Computational
Privacy”.
9
Computerized voting with punched cards was used in 1968 in Los Angeles County,
Calif., USA [19].
10
It is well-understood that a voting system should be auditable. An audit is an inde-
pendent verification; it must be carried out in ways that are significantly different
from the initially accomplished task, including the use of different machines and
people.
