55 research outputs found
Public Evidence from Secret Ballots
Elections seem simple---aren't they just counting? But they have a unique,
challenging combination of security and privacy requirements. The stakes are
high; the context is adversarial; the electorate needs to be convinced that the
results are correct; and the secrecy of the ballot must be ensured. And they
have practical constraints: time is of the essence, and voting systems need to
be affordable and maintainable, and usable by voters, election officials, and
pollworkers. It is thus not surprising that voting is a rich research area
spanning theory, applied cryptography, practical systems analysis, usable
security, and statistics. Election integrity involves two key concepts:
convincing evidence that outcomes are correct and privacy, which amounts to
convincing assurance that there is no evidence about how any given person
voted. These are obviously in tension. We examine how current systems walk this
tightrope.Comment: To appear in E-Vote-Id '1
Limiting Risk by Turning Manifest Phantoms into Evil Zombies
Drawing a random sample of ballots to conduct a risk-limiting audit generally
requires knowing how the ballots cast in an election are organized into groups,
for instance, how many containers of ballots there are in all and how many
ballots are in each container. A list of the ballot group identifiers along
with number of ballots in each group is called a ballot manifest. What if the
ballot manifest is not accurate? Surprisingly, even if ballots are known to be
missing from the manifest, it is not necessary to make worst-case assumptions
about those ballots--for instance, to adjust the margin by the number of
missing ballots--to ensure that the audit remains conservative. Rather, it
suffices to make worst-case assumptions about the individual randomly selected
ballots that the audit cannot find. This observation provides a simple
modification to some risk-limiting audit procedures that makes them
automatically become more conservative if the ballot manifest has errors. The
modification--phantoms to evil zombies (~2EZ)--requires only an upper bound on
the total number of ballots cast. ~2EZ makes the audit P-value stochastically
larger than it would be had the manifest been accurate, automatically requiring
more than enough ballots to be audited to offset the manifest errors. This
ensures that the true risk limit remains smaller than the nominal risk limit.
On the other hand, if the manifest is in fact accurate and the upper bound on
the total number of ballots equals the total according to the manifest, ~2EZ
has no effect at all on the number of ballots audited nor on the true risk
limit
Auditing Ranked Voting Elections with Dirichlet-Tree Models: First Steps
Ranked voting systems, such as instant-runo voting (IRV)
and single transferable vote (STV), are used in many places around the
world. They are more complex than plurality and scoring rules, pre-
senting a challenge for auditing their outcomes: there is no known risk-
limiting audit (RLA) method for STV other than a full hand count.
We present a new approach to auditing ranked systems that uses a sta-
tistical model, a Dirichlet-tree, that can cope with high-dimensional pa-
rameters in a computationally e cient manner. We demonstrate this ap-
proach with a ballot-polling Bayesian audit for IRV elections. Although
the technique is not known to be risk-limiting, we suggest some strategies
that might allow it to be calibrated to limit risk
Adaptively Weighted Audits of Instant-Runoff Voting Elections: AWAIRE
An election audit is risk-limiting if the audit limits (to a pre-specified
threshold) the chance that an erroneous electoral outcome will be certified.
Extant methods for auditing instant-runoff voting (IRV) elections are either
not risk-limiting or require cast vote records (CVRs), the voting system's
electronic record of the votes on each ballot. CVRs are not always available,
for instance, in jurisdictions that tabulate IRV contests manually.
We develop an RLA method (AWAIRE) that uses adaptively weighted averages of
test supermartingales to efficiently audit IRV elections when CVRs are not
available. The adaptive weighting 'learns' an efficient set of hypotheses to
test to confirm the election outcome. When accurate CVRs are available, AWAIRE
can use them to increase the efficiency to match the performance of existing
methods that require CVRs.
We provide an open-source prototype implementation that can handle elections
with up to six candidates. Simulations using data from real elections show that
AWAIRE is likely to be efficient in practice. We discuss how to extend the
computational approach to handle elections with more candidates.
Adaptively weighted averages of test supermartingales are a general tool,
useful beyond election audits to test collections of hypotheses sequentially
while rigorously controlling the familywise error rate.Comment: 16 pages, 3 figures, accepted for E-Vote-ID 202
Election Security Is Harder Than You Think
Recent years have seen the rise of nation-state interference in elections
across the globe, making the ever-present need for more secure elections all
the more dire. While certain common-sense approaches have been a typical
response in the past, e.g. ``don't connect voting machines to the Internet''
and ``use a voting system with a paper trail'', known-good solutions to
improving election security have languished in relative obscurity for decades.
These techniques are only now finally being implemented at scale, and that
implementation has brought the intricacies of sophisticated approaches to
election security into full relief.
This dissertation argues that while approaches to improve election security
like paper ballots and post-election audits seem straightforward, in reality
there are significant practical barriers to sufficient implementation.
Overcoming these barriers is a necessary condition for an election to be
secure, and while doing so is possible, it requires significant refinement of
existing techniques. In order to better understand how election security
technology can be improved, I first develop what it means for an election to be
secure. I then delve into experimental results regarding voter-verified paper,
discussing the challenges presented by paper ballots as well as some strategies
to improve the security they can deliver. I examine the post-election audit
ecosystem and propose a manifest improvement to audit workload analysis
through parallelization. Finally, I show that even when all of these conditions
are met (as in a vote-by-mail scenario), there are still wrinkles that must be
addressed for an election to be truly secure.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/163272/1/matber_1.pd
Automatic Margin Computation for Risk-Limiting Audits
A risk-limiting audit is a statistical method to create confidence in the correctness of an election result by checking samples of paper ballots. In order to perform an audit, one usually needs to know what the election margin is, i.e., the number of votes that would need to be changed in order to change the election outcome.
In this paper, we present a fully automatic method for computing election margins. It is based on the program analysis technique of bounded model checking to analyse the implementation of the election function. The method can be applied to arbitrary election functions without understanding the actual computation of the election result or without even intuitively knowing how the election function works.
We have implemented our method based on the model checker CBMC; and we present a case study demonstrating that it can be applied to real-world elections
- …