Jump to content

Scantegrity: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Citation bot (talk | contribs)
m Citation maintenance. Formatted: journal, pages. You can use this bot yourself! Please report any bugs.
add sidebar
 
(28 intermediate revisions by 23 users not shown)
Line 1: Line 1:
{{Short description|Security enhancement for voting system}}{{Voting sidebar}}
'''Scantegrity''' is a security enhancement for [[optical scan voting system]]s, providing such systems with [[End-to-end auditable voting systems|end-to-end (E2E)]] verifiability of election results. It uses privacy-preserving confirmation codes to allow a voter to prove to themselves that their ballot is included unmodified in the final tally.

'''Scantegrity''' is a security enhancement for [[optical scan voting system]]s, providing such systems with [[End-to-end auditable voting systems|end-to-end (E2E)]] verifiability of election results. It uses confirmation codes to allow a voter to prove to themselves that their ballot is included unmodified in the final tally. The codes are privacy-preserving and offer no proof of which candidate a voter voted for. Receipts can be safely shown without compromising ballot secrecy.<ref name="scantegrity">{{Citation
| author1 =Chaum, David
| authorlink1 =David_Chaum
| author2 =Aleks Essex
| author3 =Richard T. Carback III
| author4 =Jeremy Clark
| author5 =Stefan Popoveniuc
| author6 =Alan T. Sherman
| author7 =Poorvi Vora
| title =Scantegrity: End-to-End Voter Verifiable Optical-Scan Voting
| journal =IEEE Security & Privacy
| date =May–June 2008
| volume =6
| url =http://scantegrity.org/papers/scantegrityIEEESP.pdf
| issue =6:3
| pages =40–46
| doi =10.1109/MSP.2008.70
| s2cid =1149973
| archive-url =https://web.archive.org/web/20160116134242/http://www.scantegrity.org/papers/scantegrityIEEESP.pdf
| access-date =2016-11-23
| archive-date =2016-01-16
| url-status =dead}}</ref>


''Scantegrity II'' prints the confirmation codes in [[invisible ink]] to improve usability and dispute resolution. As the system relies on cryptographic techniques, the ability to validate an election outcome is both [[Software independence|software independent]] as well as independent of faults in the physical [[Chain of custody|chain-of-custody]] of the paper ballots. The system was developed by a team of researchers including cryptographers [[David Chaum]] and [[Ron Rivest]].
''Scantegrity II'' prints the confirmation codes in [[invisible ink]] to improve usability and dispute resolution. As the system relies on cryptographic techniques, the ability to validate an election outcome is both [[Software independence|software independent]] as well as independent of faults in the physical [[Chain of custody|chain-of-custody]] of the paper ballots. The system was developed by a team of researchers including cryptographers [[David Chaum]] and [[Ron Rivest]].
Line 5: Line 28:
== Advantages ==
== Advantages ==


[[Optical scan voting system]]s produce an electronic [[Tally (voting)|tally]], while maintaining the original paper ballots which can be rescanned or manually hand-counted to provide an ostensibly corroborative tally. However, the correctness of each of these tallies requires the voter to either trust that the software is error-free and has not been hacked, or that the physical chain-of-custody of the ballots has not been broken at any point.<ref>{{Citation
[[Optical scan voting system]]s produce an electronic [[Tally (voting)|tally]], while maintaining the original paper ballots which can be rescanned or manually hand-counted to provide an ostensibly corroborative tally. However, the correctness of each of these tallies requires the voter to either trust that the software is error-free and has not been hacked, or that the physical chain-of-custody of the ballots has not been broken at any point.<ref>{{Citation |last=Rowell |first=Laurie |title=Down for the Count |newspaper=ACM NetWorker Magazine |date=March 2008 |url=http://mags.acm.org/networker/200803/ |issue=12:1 |pages=17–23 |url-status=dead |archiveurl=https://web.archive.org/web/20081205070217/http://mags.acm.org/networker/200803/ |archivedate=December 5, 2008 }}</ref> Other E2E voting systems such as [[Punchscan]] and [[ThreeBallot]], address these issues but require existing polling place equipment and procedures to be greatly altered or replaced.<ref>{{Citation
| last =Rowell
| first =Laurie
| title =Down for the Count
| newspaper =ACM NetWorker Magazine
| date =March 2008
| url =http://mags.acm.org/networker/200803/
| issue =12:1
| pages =17–23
}}</ref> Other E2E voting systems such as [[Punchscan]] and [[ThreeBallot]], address these issues but require existing polling place equipment and procedures to be greatly altered or replaced.<ref>{{Citation
| last =Hunter
| last =Hunter
| first =Adam
| first =Adam
| title =Click Here For President: The Future of Voting in America
| title =Click Here For President: The Future of Voting in America
| newspaper =MSN Tech & Gadgets
| newspaper =MSN Tech & Gadgets
| date =2008
| year =2008
| url =http://tech.msn.com/news/article.aspx?cp-documentid=9168472
| url =http://tech.msn.com/news/article.aspx?cp-documentid=9168472
| archive-url =https://web.archive.org/web/20080910232138/http://tech.msn.com/news/article.aspx?cp-documentid=9168472
}}</ref> In contrast, Scantegrity is an [[Retrofit|add-on]] meant to be used in conjunction with existing optical scan equipment, thereby requiring fewer hardware and software and procedural modifications.<ref>{{cite journal
| archive-date =2008-09-10
| last =Chaum
| first =David
| url-status =dead
}}</ref> In contrast, Scantegrity is an [[Retrofit|add-on]] meant to be used in conjunction with existing optical scan equipment, thereby requiring fewer hardware and software and procedural modifications.<ref name="scantegrity" />
| authorlink =David_Chaum
| coauthors =Aleks Essex, Richard T. Carback III, Jeremy Clark, Stefan Popoveniuc, Alan T. Sherman, Poorvi Vora
| title =Scantegrity: End-to-End Voter Verifiable Optical-Scan Voting
| journal =IEEE Security & Privacy
| date =May/June 2008
| url =http://scantegrity.org/papers/scantegrityIEEESP.pdf
| issue =6:3
| pages =40–46}}</ref>
For all other voters, the ballot marking procedure is essentially identical to conventional optical scan paper-ballots. Similarly, the underlying system still produces both an electronic tally as well as a human readable [[wiktionary:paper trail|paper trail]] through which [[Vote counting system#Manual counting|manual recounts]] can still be conducted.
For all other voters, the ballot marking procedure is essentially identical to conventional optical scan paper-ballots. Similarly, the underlying system still produces both an electronic tally as well as a human readable [[wiktionary:paper trail|paper trail]] through which [[Vote counting system#Manual counting|manual recounts]] can still be conducted.
Line 38: Line 45:
[[Image:Scantegrity II Ballot.jpg|thumb|Scantegrity II ballot and decoder pen.<br> '''Left:''' Unmarked optical scan bubble. <br>'''Right:''' Marked optical scan bubble revealing confirmation code "FY"]]
[[Image:Scantegrity II Ballot.jpg|thumb|Scantegrity II ballot and decoder pen.<br> '''Left:''' Unmarked optical scan bubble. <br>'''Right:''' Marked optical scan bubble revealing confirmation code "FY"]]


The Scantegrity II voting procedure is similar to that of a traditional [[optical scan voting system]], except that each voting response location contains a random confirmation code printed in [[invisible ink]].<ref>{{cite journal
The Scantegrity II voting procedure is similar to that of a traditional [[optical scan voting system]], except that each voting response location contains a random confirmation code printed in [[invisible ink]].<ref>{{Citation
| last =Chaum
| author1 =Chaum, David
| authorlink1 =David_Chaum
| first =David
| author2 =Richard Carback
| authorlink =David_Chaum
| author3 =Jeremy Clark
| coauthors =Richard Carback, Jeremy Clark, Aleksander Essex, Stefan Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, Alan T. Sherman
| author4 =Aleksander Essex
| author5 =Stefan Popoveniuc
| author6 =Ronald L. Rivest
| author7 =Peter Y. A. Ryan
| author8 =Emily Shen
| author9 =Alan T. Sherman
| title =Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes
| title =Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes
| journal =Proceedings of USENIX/ACCURATE EVT
| journal =Proceedings of USENIX/ACCURATE EVT
| date =2008
| year =2008
| url =http://www.usenix.org/event/evt08/tech/full_papers/chaum/chaum.pdf
| url =http://www.usenix.org/event/evt08/tech/full_papers/chaum/chaum.pdf
}}</ref> The voter marks the location using a specially provided "decoder" pen, which activates the invisible ink causing it to darken, revealing a confirmation code.<ref>{{Citation
}}</ref> The voter marks the location using a specially provided "decoder" pen, which activates the invisible ink causing it to darken, revealing a confirmation code.<ref>{{Citation
Line 54: Line 67:
| date =October 2008
| date =October 2008
| url =http://discovermagazine.com/2008/oct/04-protecting-your-vote-with-invisible-ink
| url =http://discovermagazine.com/2008/oct/04-protecting-your-vote-with-invisible-ink
}}</ref>
}}</ref>


Voters wishing to verify that their vote is unmodified may write down the confirmation codes for each race on a detachable chit that contains the ballot's serial number.<ref>{{Citation
Voters wishing to verify that their vote is unmodified may write down the confirmation codes for each race on a detachable chit that contains the ballot's serial number.<ref name="technologyreview">{{Citation
| last =Mahoney
| last =Mahoney
| first =Matt
| first =Matt
| title =Flawless Vote Counts: Cryptography lets voters confirm that their ballots were tallied correctly
| title =Flawless Vote Counts: Cryptography lets voters confirm that their ballots were tallied correctly
| newspaper =Technology Review
| newspaper =Technology Review
| date =September/October 2008
| date =September–October 2008
| url =http://www.technologyreview.com/Infotech/21225/?a=f
| url =http://www.technologyreview.com/Infotech/21225/?a=f
}}</ref> Otherwise, the voter can simply ignore the code and continue to mark and cast their ballot as normal.
}}</ref>


The voter can simply ignore the code and continue to mark and cast their ballot as normal. Those voters choosing to do so may write down the confirmation codes for each race on a detachable chit that contains the ballot's serial number. The confirmation codes are randomly assigned to the ballots, allowing voters to freely share their codes while keeping their votes secret. The codes are also [[Commitment scheme|pre-committed]] to a committee of mutually-distrustful entities (such as representatives of each political party) so that the confirmation codes cannot be changed or misprinted without detection. Voters may request additional ballots to audit—they ensure the ballots are properly printed by revealing all the codes and comparing these to the codes committed to.
The confirmation codes are randomly assigned to the ballots, allowing voters to freely share their codes while keeping their votes secret. The codes are also [[Commitment scheme|pre-committed]] to a committee of mutually-distrustful entities (such as representatives of each political party) so that the confirmation codes cannot be changed or misprinted without detection. Voters may request additional ballots to audit—they ensure the ballots are properly printed by revealing all the codes and comparing these to the codes committed to.


=== Checking ===
=== Checking ===


After the election is finished, the election authority publicly posts a list of confirmation codes for the positions marked on each ballot it received. Voters who wrote down their codes can verify that the codes are correct for their ballot number and that no codes were added or removed.<ref>{{Citation
After the election is finished, the election authority publicly posts a list of confirmation codes for the positions marked on each ballot it received. Voters who wrote down their codes can verify that the codes are correct for their ballot number and that no codes were added or removed.<ref name="technologyreview" /> If the posted record is incorrect, the voter may file a dispute. Spurious disputes can be excluded from consideration by comparing the claimed codes to the set of possible codes for a given contest on a ballot—the probability of randomly guessing a code that actually appeared on the ballot is low.
| last =Mahoney
| first =Matt
| title =Flawless Vote Counts: Cryptography lets voters confirm that their ballots were tallied correctly
| newspaper =Technology Review
| date =September/October 2008
| url =http://www.technologyreview.com/Infotech/21225/?a=f
}}</ref> If the posted record is incorrect, the voter may file a dispute. Spurious disputes can be excluded from consideration by comparing the claimed codes to the set of possible codes for a given contest on a ballot—the probability of randomly guessing a code that actually appeared on the ballot is low.


=== Verification ===
=== Verification ===


After the election, the trustees generate an independent tally from the voter-verifiable list of ballots and confirmation codes. Since the link between a confirmation code and the candidate voted for must remain secret, the tally is generated using an anonymity-preserving backend. Many such backends have been proposed for tallying votes, including the ones used by [[Punchscan]] and [[Prêt à Voter]]. Scantegrity currently uses a backend based on the Aperio voting system.<ref>{{cite journal
After the election, the trustees generate an independent tally from the voter-verifiable list of ballots and confirmation codes. Since the link between a confirmation code and the candidate voted for must remain secret, the tally is generated using an anonymity-preserving backend. Many such backends have been proposed for tallying votes, including the ones used by [[Punchscan]] and [[Prêt à Voter]]. Steps in the tally can be recalculated by anyone to ensure its correctness. For this reason, the system is more accurately described as mathematical voting than electronic voting. The security of the system does not require any software to operate correctly, only that the mathematical operations are independently corroborated by all interested parties.<ref>{{Citation
| last =Essex
| first =Aleks
| coauthors =Jeremy Clark, Carlisle Adams
| title =Aperio: High Integrity Elections for Developing Countries
| journal =IAVoSS Workshop on Trustworthy Elections
| date =2008
| url =http://www.site.uottawa.ca/~aesse083/papers/aperio-WOTE.pdf }}</ref> Steps in the tally can be recalculated by anyone to ensure its correctness. For this reason, the system is more accurately described as mathematical voting than electronic voting. The security of the system does not require any software to operate correctly, only that the mathematical operations are independently corroborated by all interested parties.<ref>{{Citation
| last =Lombardi
| last =Lombardi
| first =Rosie
| first =Rosie
Line 94: Line 93:
| date =March 27, 2008
| date =March 27, 2008
| url =http://www.intergovworld.com/article/eca959c50a01040801d1f967f0e6eacb/pg1.htm
| url =http://www.intergovworld.com/article/eca959c50a01040801d1f967f0e6eacb/pg1.htm
| archive-url =https://web.archive.org/web/20080516180855/http://www.intergovworld.com/article/eca959c50a01040801d1f967f0e6eacb/pg1.htm
| archive-date =2008-05-16
| url-status =dead
}}</ref>
}}</ref>


== Use in public elections ==
== Use in public elections ==


The city of [[Takoma Park, Maryland]] plans to use Scantegrity II for its November, 2009 election.<ref>{{Citation
The city of [[Takoma Park, Maryland]] used Scantegrity II for its November, 2009 election.<ref>{{Citation
| title =Pilot Study of the Scantegrity II Voting System Planned for the 2009 Takoma Park City Election
|title = Pilot Study of the Scantegrity II Voting System Planned for the 2009 Takoma Park City Election
| url =http://www.takomaparkmd.gov/committees/boe/documents/flyer_workshop_I_(02-19-09).pdf
|url = http://www.takomaparkmd.gov/committees/boe/documents/flyer_workshop_I_(02-19-09).pdf
|url-status = dead
}}</ref>
|archiveurl = https://web.archive.org/web/20110719064407/http://www.takomaparkmd.gov/committees/boe/documents/flyer_workshop_I_%2802-19-09%29.pdf
|archivedate = 2011-07-19
}}</ref><ref>{{Citation
| last = Hardesty
| first = Larry
| title = Cryptographic voting debuts
| work = MIT news
| accessdate = 2009-11-30
| url = http://web.mit.edu/newsoffice/2009/rivest-voting.html
| archive-url =https://web.archive.org/web/20110719064407/http://www.takomaparkmd.gov/committees/boe/documents/flyer_workshop_I_(02-19-09).pdf
| archive-date =2011-07-19
| url-status =dead
}}</ref> Scantegrity was used again in Takoma Park for its November 2011 election.


==Notes==
==Notes==
Line 116: Line 131:
* [http://discovermagazine.com/2008/oct/04-protecting-your-vote-with-invisible-ink Protecting Your Vote With Invisible Ink] ([[Discover Magazine]]).
* [http://discovermagazine.com/2008/oct/04-protecting-your-vote-with-invisible-ink Protecting Your Vote With Invisible Ink] ([[Discover Magazine]]).
* [http://www.technologyreview.com/Infotech/21225/?a=f Flawless Vote Counts] ([[Technology Review]]).
* [http://www.technologyreview.com/Infotech/21225/?a=f Flawless Vote Counts] ([[Technology Review]]).
* [http://tech.msn.com/news/article.aspx?cp-documentid=9168472 Click Here For President: The Future of Voting in America] (MSN Tech & Gadgets).
* [https://web.archive.org/web/20080910232138/http://tech.msn.com/news/article.aspx?cp-documentid=9168472 Click Here For President: The Future of Voting in America] (MSN Tech & Gadgets).
* [http://www.npr.org/templates/story/story.php?storyId=87974935 Shift Back to Paper Ballots Sparks Disagreement] ([[Morning Edition]]).
* [https://www.npr.org/templates/story/story.php?storyId=87974935 Shift Back to Paper Ballots Sparks Disagreement] ([[Morning Edition]]).
* [http://mags.acm.org/networker/200803/ Down for the Count] ([[Association for Computing Machinery|ACM netWorker]]).
* [http://mags.acm.org/networker/200803/ Down for the Count] ([[Association for Computing Machinery|ACM netWorker]]).
* [http://www.intergovworld.com/article/eca959c50a01040801d1f967f0e6eacb/pg1.htm Canadian voting machine enters American political machine] (InterGovWorld).
* [http://www.intergovworld.com/article/eca959c50a01040801d1f967f0e6eacb/pg1.htm Canadian voting machine enters American political machine] (InterGovWorld).
* [https://www.wired.com/threatlevel/2009/11/scantegrity Maryland Voters Test New Cryptographic Voting System] ([[Wired News]])
{{refend}}
{{refend}}


== External links ==
== External links ==
* [https://web.archive.org/web/20071021022217/http://scantegrity.org/ Scantegrity.org]
* [https://web.archive.org/web/20110619122145/http://video.google.com/videoplay?docid=7963759819804190312 Scantegrity II] video presentation
* Ben Adida's [http://benlog.com/articles/category/takoma-park-2009/ Takoma Park election] blog


[[Category:Electronic voting methods]]
* [http://www.scantegrity.org Scantegrity.org]
* [http://video.google.com/videoplay?docid=7963759819804190312 Scantegrity II] video presentation

[[Category:Voting]]
[[Category:Electronic voting]]
[[Category:Applications of cryptography]]
[[Category:Applications of cryptography]]

[[de:Scantegrity]]

Latest revision as of 17:35, 1 September 2024


Scantegrity is a security enhancement for optical scan voting systems, providing such systems with end-to-end (E2E) verifiability of election results. It uses confirmation codes to allow a voter to prove to themselves that their ballot is included unmodified in the final tally. The codes are privacy-preserving and offer no proof of which candidate a voter voted for. Receipts can be safely shown without compromising ballot secrecy.[1]

Scantegrity II prints the confirmation codes in invisible ink to improve usability and dispute resolution. As the system relies on cryptographic techniques, the ability to validate an election outcome is both software independent as well as independent of faults in the physical chain-of-custody of the paper ballots. The system was developed by a team of researchers including cryptographers David Chaum and Ron Rivest.

Advantages

[edit]

Optical scan voting systems produce an electronic tally, while maintaining the original paper ballots which can be rescanned or manually hand-counted to provide an ostensibly corroborative tally. However, the correctness of each of these tallies requires the voter to either trust that the software is error-free and has not been hacked, or that the physical chain-of-custody of the ballots has not been broken at any point.[2] Other E2E voting systems such as Punchscan and ThreeBallot, address these issues but require existing polling place equipment and procedures to be greatly altered or replaced.[3] In contrast, Scantegrity is an add-on meant to be used in conjunction with existing optical scan equipment, thereby requiring fewer hardware and software and procedural modifications.[1]

For all other voters, the ballot marking procedure is essentially identical to conventional optical scan paper-ballots. Similarly, the underlying system still produces both an electronic tally as well as a human readable paper trail through which manual recounts can still be conducted.

Method

[edit]
Scantegrity II ballot and decoder pen.
Left: Unmarked optical scan bubble.
Right: Marked optical scan bubble revealing confirmation code "FY"

The Scantegrity II voting procedure is similar to that of a traditional optical scan voting system, except that each voting response location contains a random confirmation code printed in invisible ink.[4] The voter marks the location using a specially provided "decoder" pen, which activates the invisible ink causing it to darken, revealing a confirmation code.[5]

Voters wishing to verify that their vote is unmodified may write down the confirmation codes for each race on a detachable chit that contains the ballot's serial number.[6] Otherwise, the voter can simply ignore the code and continue to mark and cast their ballot as normal.

The confirmation codes are randomly assigned to the ballots, allowing voters to freely share their codes while keeping their votes secret. The codes are also pre-committed to a committee of mutually-distrustful entities (such as representatives of each political party) so that the confirmation codes cannot be changed or misprinted without detection. Voters may request additional ballots to audit—they ensure the ballots are properly printed by revealing all the codes and comparing these to the codes committed to.

Checking

[edit]

After the election is finished, the election authority publicly posts a list of confirmation codes for the positions marked on each ballot it received. Voters who wrote down their codes can verify that the codes are correct for their ballot number and that no codes were added or removed.[6] If the posted record is incorrect, the voter may file a dispute. Spurious disputes can be excluded from consideration by comparing the claimed codes to the set of possible codes for a given contest on a ballot—the probability of randomly guessing a code that actually appeared on the ballot is low.

Verification

[edit]

After the election, the trustees generate an independent tally from the voter-verifiable list of ballots and confirmation codes. Since the link between a confirmation code and the candidate voted for must remain secret, the tally is generated using an anonymity-preserving backend. Many such backends have been proposed for tallying votes, including the ones used by Punchscan and Prêt à Voter. Steps in the tally can be recalculated by anyone to ensure its correctness. For this reason, the system is more accurately described as mathematical voting than electronic voting. The security of the system does not require any software to operate correctly, only that the mathematical operations are independently corroborated by all interested parties.[7]

Use in public elections

[edit]

The city of Takoma Park, Maryland used Scantegrity II for its November, 2009 election.[8][9] Scantegrity was used again in Takoma Park for its November 2011 election.

Notes

[edit]
  1. ^ a b Chaum, David; Aleks Essex; Richard T. Carback III; Jeremy Clark; Stefan Popoveniuc; Alan T. Sherman; Poorvi Vora (May–June 2008), "Scantegrity: End-to-End Voter Verifiable Optical-Scan Voting" (PDF), IEEE Security & Privacy, 6 (6:3): 40–46, doi:10.1109/MSP.2008.70, S2CID 1149973, archived from the original (PDF) on 2016-01-16, retrieved 2016-11-23
  2. ^ Rowell, Laurie (March 2008), "Down for the Count", ACM NetWorker Magazine, no. 12:1, pp. 17–23, archived from the original on December 5, 2008
  3. ^ Hunter, Adam (2008), "Click Here For President: The Future of Voting in America", MSN Tech & Gadgets, archived from the original on 2008-09-10
  4. ^ Chaum, David; Richard Carback; Jeremy Clark; Aleksander Essex; Stefan Popoveniuc; Ronald L. Rivest; Peter Y. A. Ryan; Emily Shen; Alan T. Sherman (2008), "Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes" (PDF), Proceedings of USENIX/ACCURATE EVT
  5. ^ Lafsky, Melissa (October 2008), "Protecting Your Vote With Invisible Ink", Discover Magazine
  6. ^ a b Mahoney, Matt (September–October 2008), "Flawless Vote Counts: Cryptography lets voters confirm that their ballots were tallied correctly", Technology Review
  7. ^ Lombardi, Rosie (March 27, 2008), "Canadian voting machine enters American political machine", InterGovWorld.com, archived from the original on 2008-05-16
  8. ^ Pilot Study of the Scantegrity II Voting System Planned for the 2009 Takoma Park City Election (PDF), archived from the original (PDF) on 2011-07-19
  9. ^ Hardesty, Larry, "Cryptographic voting debuts" (PDF), MIT news, archived from the original on 2011-07-19, retrieved 2009-11-30

Further reading

[edit]
[edit]