Remarks on The Technologies of Electronic Voting by Ronald L. Rivest Harvard University's Kennedy School of Government Digital Voting Symposium http://designforvalues.org/voting/ June 1, 2004 (Panel Session 2: The Technologies of Voting) [These notes written up post-facto from my handwritten notes, so this is not a verbatim transcript but rather a reconstruction of what I think I said, more or less.] -------------------------------------------------------------------------- Good morning. My name is Ron Rivest; I'm a Professor in the Electrical Engineering and Computer Science Department at MIT. My background and expertise are in cryptography and the mathematics of security. I've also been a member of the CalTech/MIT Voting Technology Project since its inception after the last U.S. Presidential election. I like the problem of devising appropriate technology for voting for three reasons: (1) It is an obviously important problem, (2) It is a hard technical problem, since the requirements are nearly self-contradictory (the requirement for voter privacy is particularly challenging), (3) There are many wonderful and taletned people working on this, people committed to making democracy work better. Voting technology is clearly a technology in transition; we are going through (another) "phase change" in voting technology. We have seen many such transitions before: from paper ballots to lever machines to punch cards to optical scan. Now we seem to be at the beginning stages of a transition to computerized or electronic voting. It is easy to predict that there will be numerous further such technology transitions down the road. I find it helpful to take a "long-term" view of technology evolution. A corollary is that we should view the "voting problem" not as a "problem to be solved"---where we can hope to come up with an ultimate "best possible solution" and stick with it forever---but rather as a challenge in managing a continuing process of technology evoluion and continual improvement. I believe that we are still in the early stages of a transition to electronic voting. Rebecca (Mercuri) just gave an automobile-based analogy; let me give another one, related to voter-verified paper audit trails (VVPAT's). Imagine that we are in the early days of automobiles, when "Model A's" are being sold---but without any form of roof! A purchaser will realize as soon as there is a rainstorm that certain risks are not being handled well (or at all), but the car is sure fast and fun to drive! The proposed "fix" is to give each car owner an umbrella to carry around and pull out when it rains. This "works", sort of, but is really rather awkward and doesn't handle all of the risks, such as when there is high wind. If you have already bought such a roofless car, then using an umbrella may be your best temporary "solution", but ultimately you would expect the automobile manufacturer to produce a vehicle with a better approach, which addresses the risks in a more fundamental way. Voter-verified paper audit trails feel, to me, a bit like umbrellas for roofless cars. VVPAT's may well be the best "fix" for certain obvious security problems with current DRE's, but ultimately one could hope for a more comprehensive approach with greater security and better usability and cost. How---and how successfully---will we manage this expected transition to secure electronic voting? Will we be able to do so and make the "official ballot" electronic? (Yes, I believe that we will be able to do so.) Will we be able to eliminate paper from the voting process? (Perhaps not, but paper may be used for purposes other than for recording the official ballot.) I'd like to talk now for a while about where the future may be for electronic voting. There are some recent proposals due to David Chaum and Andy Neff that suggest the beginnings of a revolution, or at least a paradigm shift, in how one can design secure voting systems. David calls these "voter verified secret ballots", which I think is apt. While voting systems may or may not end up moving in these directions, I believe that they show much promise, and show that vigorous innovation is continuing. Here are some highlights of these proposals; I don't have the time to describe them fully. You might contact them directly for more details and the latest versions of their papers. One theme is the fundamental importance of cryptography in these proposals. Cryptography is not used in some ancillary manner, for example, to secure communications lines. It plays a central role in the architecture. Perhaps surprisingly, the use of cryptography helps makes these designs more open and transparent, not less. Cryptography has evolved from being a rather blunt instrument to one where one can exercise very detailed control over the disclosure of information; in a voting system you can now make almost everything available for public inspection (say on a web site or public "bulletin board"), stopping only at the point where a voter's privacy would be violated. A second theme is an emphasis on certifying election results, rather than certifying election equipment. Clearly, having accurate election results is the real goal, not having trustworthy election equipment per se; the latter is only a means towards the goal of accurate election results. Indeed, the normal argument is quite indirect: we believe the election results are accurate because we believe that the equipment certification process is likely to have caused most or all of the problems to be fixed and because we believe that the machines as purchased and installed were identical to what was certified and we believe that an adversary would be unlikely to have found vulnerabilities that weren't discovered during certification and we believe that the machines weren't tampered with or modified since their purchase and we believe that the vote totals were correctly computed, etc., etc. The newer proposals eliminate this long chain of indirect reasoning, and allow the accuracy of the final vote tally to be proven directly, without having to trust the integrity of the voting machines themselves. Source code review, configuration control, and other procedures may still be advisable as preventative measures, but they are no longer required for security. The voting machines must instead produce "evidence of correct operation" for every output they produce. A corrupted machine can not produce such evidence. The third theme is that the official ballot is electronic and is an encryption of the voter's choices. This official ballot is made public and posted on the web or a public "bulletin board" along with the voter's name. Of course, since the ballots are ciphertext, no-one can see how anyone voted. Moreover, the voter can be given a signed "receipt copy" of her ballot as she leaves the poll site, so that she can protest if her namd and ballot don't appear on the public ballot list. Again, because the ballot is ciphertext, the voter can't use it to prove to anyone else how she voted. This receipt copy is definitely not the same as a VVPAT: this receipt is not the official ballot, the voter takes it away with her when she leaves, and it plays no role in a recount. Although the idea of having the official ballot be an encryption of the voter's choices is not new, the Chaum and Neff proposals do so in a new way, so as to be able to give the voter confidence that this encryption was done correctly. There are really two central problems in voting: -- Making sure that votes are "cast as intended", and -- Making sure that votes are "counted as cast". (Of course, there are many other issues, such as accessibility, ease-of-use, privacy, and cost, but the above two issues are critical to address in any voting method.) How are these two central problems addressed in the Chaum and Neff proposals? Here is the basic flavor of their ideas, without going into details (and without even being quite accurate on the details given, since this is just a rough sketch). To ensure that votes are "cast as intended", the voter is given (in addition to her printed receipt/copy of her ballot) a printed piece of "compliance evidence". The voter should do a "quick check" of the compliance evidence while in the polling booth; this may involve checking that her intended vote is consistent with the compliance evidence. The voter may be required to destroy some (e.g. half) of the compliance evidence as she leaves the poll site, in order to ensure that her vote remains private. The compliance evidence may be subjected to further (more mathematical) testing later on to detect fraud or error by the voting machine. This further testing could, for example, be performed at a station run by the ACLU or League of Women Voters at the poll site exit; the voter might merely drop her compliance testing into the bucket at this station as she leaves. The voter could also give the ACLU her receipt/copy of her ballot, so that the ACLU could ensure that her ballot does indeed end up on the published ballot list. To ensure that votes are "counted as cast", the ballots from the published ballot list (1) have the voter's names detached, (2) are scrambled in order while being re-encrypted, and (3) are decrypted and tallied. This is done in such a way that the result is mathematically certain to be correct and such that the correctness of the result is verifiable by anyone, while not revealing how any one voter voted; this technology is called "robust mix-nets". It might become routine for high-school computer science classes to write programs that verify the correctness of the tally for the most recent presidential election. The net result of such voting system proposals are highly open, highly secure systems. Paper is used only to ensure that the voting machines and ballot publication system are working correctly. There is no need to pre-print ballots. There is never any need to count paper ballots, even for a recount. While I am optimistic about the prospects for voter-verified secret ballot voting systems in general, the Chaum and Neff proposals are still rather new, and we are certain to see refinements and improvements before they are really ready for widespread use. These are evolving proposals for the longer term, not for fixing security problems we may be facing this November! In conclusion: We see that innovations in voting systems are continuing, and will continue. We need to manage well this process of continual improvement. I believe that security in voting systems can be substantially improved. While some current DRE systems definitely seem a step backwards in terms of security, it does appear probable that we can eventually have highly secure electronic voting systems, with a reduced or eliminated need to trust the voting machine equipment and software. We will be developing assurance and certification for the election results, rather than for the voting machines. While paper may not go away, we may be able to eventually have secure electronic ballots, rather than paper ballots.