Scantegrity

From Scantegrity Wiki

Revision as of 16:34, 9 June 2009 by 67.102.68.186 (talk) (End-to-end Verification as an Add-on: fix typo "mean" -> "meant")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This is a copy of the Scantegrity article on Wikipedia from September 25th, 2008.

Scantegrity is a security enhancement for optical scan voting systems, providing such systems with end-to-end (E2E) verifiability of election results. It uses privacy-preserving confirmation codes to allow a voter to prove to themselves that their ballot is included unmodified in the final tally. Scantegrity II prints the confirmation codes in invisible ink to improve usability and dispute resolution. As the system relies on cryptographic techniques, the ability to validate an election outcome is both software independent as well as independent of faults in the physical chain-of-custody of the paper ballots. The system was developed by a team of researchers including cryptographers David Chaum and Ron Rivest.

End-to-end Verification as an Add-on[edit]

Optical scan voting systems produce an electronic tally, while maintaining the original paper ballots which can be rescanned or manually hand-counted to provide an ostensibly corroborative tally. However, the correctness of each of these tallies requires the voter to either trust that the software is error-free and has not been hacked, or that the physical chain-of-custody of the ballots has not been broken at any point.<ref>{{

 #if: 

|{{

 #if: 
 |[[ |{{{inventor}}}{{
    #if: 
    |, 
  }}]]
 |{{{inventor}}}{{
    #if: 
    |, 
  }}

}}{{

 #if: 
 |{{
    #if: 
    |; 
    | & 
  }}{{
    #if: 
    |[[ | ]]
    | 
  }}{{
    #if: 
    | & {{
       #if: 
       |[[ | ]]
       | 
     }}{{
       #if:
       | et al.
     }}
  }}

}}{{

#if: Down for the Count
|, "Down for the Count"

}}, {{#if: http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}}

 | [http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}} {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}}] 
 | {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}} 

}}{{

 #if: 
 |, published 

}}{{

 #if: 
 |, issued 

}}

| }}</ref> Other E2E voting systems such as Punchscan and ThreeBallot, address these issues but require existing polling place equipment and procedures to be greatly altered or replaced.<ref>{{

 #if: 

|{{

 #if: 
 |[[ |{{{inventor}}}{{
    #if: 
    |, 
  }}]]
 |{{{inventor}}}{{
    #if: 
    |, 
  }}

}}{{

 #if: 
 |{{
    #if: 
    |; 
    | & 
  }}{{
    #if: 
    |[[ | ]]
    | 
  }}{{
    #if: 
    | & {{
       #if: 
       |[[ | ]]
       | 
     }}{{
       #if:
       | et al.
     }}
  }}

}}{{

#if: Click Here For President: The Future of Voting in America
|, "Click Here For President: The Future of Voting in America"

}}, {{#if: http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}}

 | [http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}} {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}}] 
 | {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}} 

}}{{

 #if: 
 |, published 

}}{{

 #if: 
 |, issued 

}}

| }}</ref> In contrast, Scantegrity is an add-on meant to be used in conjunction with existing optical scan equipment, thereby requiring fewer hardware and software and procedural modifications.<ref>{{#if:Chaum

 |{{#if:David_Chaum
   |{{#if:
      Chaum
      |Chaum{{#if:
        David
        |, David
      }}
      |{{{author}}}
    }}
   |{{#if:Chaum
     |Chaum{{#if:
       David
       |, David
     }}
     |{{{author}}}
   }}
 }}

}}{{#if:Chaum

 |{{#if:Aleks Essex, Richard T. Carback III, Jeremy Clark, Stefan Popoveniuc, Alan T. Sherman, Poorvi Vora
   | ; Aleks Essex, Richard T. Carback III, Jeremy Clark, Stefan Popoveniuc, Alan T. Sherman, Poorvi Vora
 }}{{#if:May/June 2008
   | (May/June 2008)
   |{{#if:
     |{{#if:
       | ({{{month}}} {{{year}}})
       | ({{{year}}})
      }}
    }}
 }}

}}{{#if:Chaum

 | .

}}{{#if:ChaumMay/June 2008

 |  

}}{{#ifeq:

| no 
| 
| {{#if: |“|"}} 
}}{{#if:http://scantegrity.org/papers/scantegrityIEEESP.pdf
 |{{#ifeq:Scantegrity: End-to-End Voter Verifiable Optical-Scan Voting||Citation is missing a title.

Either specify one, or click here and a bot will try to complete the citation details for you. }}[{{#if:http://scantegrity.org/papers/scantegrityIEEESP.pdf%7Chttp://scantegrity.org/papers/scantegrityIEEESP.pdf%7Chttp://www.pubmedcentral.gov/articlerender.fcgi?tool=pmcentrez&artid={{{pmc}}}}} Scantegrity: End-to-End Voter Verifiable Optical-Scan Voting]

 |Scantegrity: End-to-End Voter Verifiable Optical-Scan Voting

}}{{#ifeq:

| no 
| 
| {{#if:|”|"}} 
}}{{#if: 
 |  (in {{{language}}})

}}{{#if:

 |  ({{{format}}})

}}{{#if:Chaum

 |
 |  {{#if:May/June 2008
   | (May/June 2008)
   |{{#if:
     |{{#if:
       | ({{{month}}} {{{year}}})
       | ({{{year}}})
      }}
    }}
 }}

}}{{#if:IEEE Security & Privacy

 |. IEEE Security & Privacy

}}{{#if:

 | {{{volume}}}

}}{{#if:6:3

 | (6:3)

}}{{#if:40-46

 |: 40-46

}}{{#if:

 |. {{#if: 
   |{{{location}}}: 
 }}{{{publisher}}}

}}{{#if:

 |. doi:{{#if:  
    | {{{doi}}} (inactive [[]]) {{#ifeq:  |  | [[Category:Pages with DOIs broken since {{#time: Y |  }}]] }}
    | {{{doi}}}
   }}

}}{{#if:

 |. ISSN {{{issn}}}

}}{{#if:

 |. PMID {{{pmid}}}

}}{{#if:

 | {{#if:http://scantegrity.org/papers/scantegrityIEEESP.pdf |. PMC:{{{pmc}}}}}

}}{{#if:

 |. Bibcode{{{bibcode}}}

}}{{#if:

 |. OCLC {{{oclc}}}

}}{{#if:

 |. {{{id}}}

}}{{#if:

 |. Retrieved on [[{{{accessdate}}}]]{{#if:  | , [[{{{accessyear}}}]] }}

}}{{#if:

 |  Retrieved on {{{accessmonthday}}}, {{{accessyear}}}

}}{{#if:

 |  Retrieved on {{{accessdaymonth}}} {{{accessyear}}}

}}{{#if:

 |. [{{{laysummary}}} Lay summary]{{#if: | – {{{laysource}}}}}

}}{{#if:

 |  ([[{{{laydate}}}]])

}}.{{#if:

 |  “{{{quote}}}”

}} </ref>

For all other voters, the ballot marking procedure is essentially identical to conventional optical scan paper-ballots. Similarly, the underlying system still produces both an electronic tally as well as a human readable paper trail through which manual recounts can still be conducted.

Voter Experience[edit]

Error creating thumbnail: Unable to save thumbnail to destination
Scantegrity II ballot and decoder pen.
Left: Unmarked optical scan bubble.
Right: Marked optical scan bubble revealing confirmation code "FY".

The Scantegrity II voting procedure is similar to that of a traditional optical scan voting system, except that each voting response location contains a random confirmation code printed in invisible ink.<ref>{{#if:Chaum

 |{{#if:David_Chaum
   |{{#if:
      Chaum
      |Chaum{{#if:
        David
        |, David
      }}
      |{{{author}}}
    }}
   |{{#if:Chaum
     |Chaum{{#if:
       David
       |, David
     }}
     |{{{author}}}
   }}
 }}

}}{{#if:Chaum

 |{{#if:Richard Carback, Jeremy Clark, Aleksander Essex, Stefan Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, Alan T. Sherman
   | ; Richard Carback, Jeremy Clark, Aleksander Essex, Stefan Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, Alan T. Sherman
 }}{{#if:2008
   | (2008)
   |{{#if:
     |{{#if:
       | ({{{month}}} {{{year}}})
       | ({{{year}}})
      }}
    }}
 }}

}}{{#if:Chaum

 | .

}}{{#if:Chaum2008

 |  

}}{{#ifeq:

| no 
| 
| {{#if: |“|"}} 
}}{{#if:http://www.usenix.org/event/evt08/tech/full_papers/chaum/chaum.pdf
 |{{#ifeq:Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes||Citation is missing a title.

Either specify one, or click here and a bot will try to complete the citation details for you. }}[{{#if:http://www.usenix.org/event/evt08/tech/full_papers/chaum/chaum.pdf%7Chttp://www.usenix.org/event/evt08/tech/full_papers/chaum/chaum.pdf%7Chttp://www.pubmedcentral.gov/articlerender.fcgi?tool=pmcentrez&artid={{{pmc}}}}} Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes]

 |Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes

}}{{#ifeq:

| no 
| 
| {{#if:|”|"}} 
}}{{#if: 
 |  (in {{{language}}})

}}{{#if:

 |  ({{{format}}})

}}{{#if:Chaum

 |
 |  {{#if:2008
   | (2008)
   |{{#if:
     |{{#if:
       | ({{{month}}} {{{year}}})
       | ({{{year}}})
      }}
    }}
 }}

}}{{#if:Proceedings of USENIX/ACCURATE EVT

 |. Proceedings of USENIX/ACCURATE EVT

}}{{#if:

 | {{{volume}}}

}}{{#if:

 | ({{{issue}}})

}}{{#if:

 |: {{{pages}}}

}}{{#if:

 |. {{#if: 
   |{{{location}}}: 
 }}{{{publisher}}}

}}{{#if:

 |. doi:{{#if:  
    | {{{doi}}} (inactive [[]]) {{#ifeq:  |  | [[Category:Pages with DOIs broken since {{#time: Y |  }}]] }}
    | {{{doi}}}
   }}

}}{{#if:

 |. ISSN {{{issn}}}

}}{{#if:

 |. PMID {{{pmid}}}

}}{{#if:

 | {{#if:http://www.usenix.org/event/evt08/tech/full_papers/chaum/chaum.pdf |. PMC:{{{pmc}}}}}

}}{{#if:

 |. Bibcode{{{bibcode}}}

}}{{#if:

 |. OCLC {{{oclc}}}

}}{{#if:

 |. {{{id}}}

}}{{#if:

 |. Retrieved on [[{{{accessdate}}}]]{{#if:  | , [[{{{accessyear}}}]] }}

}}{{#if:

 |  Retrieved on {{{accessmonthday}}}, {{{accessyear}}}

}}{{#if:

 |  Retrieved on {{{accessdaymonth}}} {{{accessyear}}}

}}{{#if:

 |. [{{{laysummary}}} Lay summary]{{#if: | – {{{laysource}}}}}

}}{{#if:

 |  ([[{{{laydate}}}]])

}}.{{#if:

 |  “{{{quote}}}”

}} </ref> The voter marks the location using a specially provided "decoder" pen, which activates the invisible ink causing it to darken, revealing a confirmation code.<ref>{{

 #if: 

|{{

 #if: 
 |[[ |{{{inventor}}}{{
    #if: 
    |, 
  }}]]
 |{{{inventor}}}{{
    #if: 
    |, 
  }}

}}{{

 #if: 
 |{{
    #if: 
    |; 
    | & 
  }}{{
    #if: 
    |[[ | ]]
    | 
  }}{{
    #if: 
    | & {{
       #if: 
       |[[ | ]]
       | 
     }}{{
       #if:
       | et al.
     }}
  }}

}}{{

#if: Protecting Your Vote With Invisible Ink
|, "Protecting Your Vote With Invisible Ink"

}}, {{#if: http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}}

 | [http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}} {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}}] 
 | {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}} 

}}{{

 #if: 
 |, published 

}}{{

 #if: 
 |, issued 

}}

| }}</ref>

Voters wishing the verify that their vote is unmodified may write down the confirmation codes for each race on a detachable chit that contains the ballot's serial number.<ref>{{

 #if: 

|{{

 #if: 
 |[[ |{{{inventor}}}{{
    #if: 
    |, 
  }}]]
 |{{{inventor}}}{{
    #if: 
    |, 
  }}

}}{{

 #if: 
 |{{
    #if: 
    |; 
    | & 
  }}{{
    #if: 
    |[[ | ]]
    | 
  }}{{
    #if: 
    | & {{
       #if: 
       |[[ | ]]
       | 
     }}{{
       #if:
       | et al.
     }}
  }}

}}{{

#if: Flawless Vote Counts: Cryptography lets voters confirm that their ballots were tallied correctly
|, "Flawless Vote Counts: Cryptography lets voters confirm that their ballots were tallied correctly"

}}, {{#if: http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}}

 | [http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}} {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}}] 
 | {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}} 

}}{{

 #if: 
 |, published 

}}{{

 #if: 
 |, issued 

}}

| }}</ref>

The voter can simply ignore the code and continue to mark and cast their ballot as normal. Those voters choosing to do so may write down the confirmation codes for each race on a detachable chit that contains the ballot's serial number. The confirmation codes are randomly assigned to the ballots, allowing voters to freely share their codes while keeping their votes secret. The codes are also pre-committed to by a committee of mutually-distrustful entities (such as representatives of each political party) so that the confirmation codes cannot be changed or misprinted without detection. Voters may request additional ballots to audit—they ensure the ballots are properly printed by revealing all the codes and comparing these to the codes committed to.

Checking Confirmation Codes[edit]

After the election is finished, the election authority publicly posts a list of confirmation codes for the positions marked on each ballot it received. Voters who wrote down their codes can verify that the codes are correct for their ballot number and that no codes were added or removed.<ref>{{

 #if: 

|{{

 #if: 
 |[[ |{{{inventor}}}{{
    #if: 
    |, 
  }}]]
 |{{{inventor}}}{{
    #if: 
    |, 
  }}

}}{{

 #if: 
 |{{
    #if: 
    |; 
    | & 
  }}{{
    #if: 
    |[[ | ]]
    | 
  }}{{
    #if: 
    | & {{
       #if: 
       |[[ | ]]
       | 
     }}{{
       #if:
       | et al.
     }}
  }}

}}{{

#if: Flawless Vote Counts: Cryptography lets voters confirm that their ballots were tallied correctly
|, "Flawless Vote Counts: Cryptography lets voters confirm that their ballots were tallied correctly"

}}, {{#if: http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}}

 | [http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}} {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}}] 
 | {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}} 

}}{{

 #if: 
 |, published 

}}{{

 #if: 
 |, issued 

}}

| }}</ref> If the posted record is incorrect, the voter may file a dispute. Spurious disputes can be excluded from consideration by comparing the claimed codes to the set of possible codes for a given contest on a ballot—the probability of randomly guessing a code that actually appeared on the ballot is low.

Tally Verification[edit]

After the election, the trustees generate an independent tally from the voter-verifiable list of ballots and confirmation codes. Since the link between a confirmation code and the candidate voted for must remain secret, the tally is generated using an anonymity-preserving backend. Many such backends have been proposed for tallying votes, including the ones used by Punchscan and Prêt à Voter. Scantegrity currently uses a backend based on the Aperio voting system.<ref>{{#if:Essex

 |{{#if:
   |[[{{{authorlink}}}|{{#if:
     Essex
     |Essex{{#if:
       Aleks
       |, Aleks
     }}
     |{{{author}}}
   }}]]
   |{{#if:Essex
     |Essex{{#if:
       Aleks
       |, Aleks
     }}
     |{{{author}}}
   }}
 }}

}}{{#if:Essex

 |{{#if:Jeremy Clark, Carlisle Adams
   | ; Jeremy Clark, Carlisle Adams
 }}{{#if:2008
   | (2008)
   |{{#if:
     |{{#if:
       | ({{{month}}} {{{year}}})
       | ({{{year}}})
      }}
    }}
 }}

}}{{#if:Essex

 | .

}}{{#if:Essex2008

 |  

}}{{#ifeq:

| no 
| 
| {{#if: |“|"}} 
}}{{#if:http://www.site.uottawa.ca/~aesse083/papers/aperio-WOTE.pdf
 |{{#ifeq:Aperio: High Integrity Elections for Developing Countries||Citation is missing a title.

Either specify one, or click here and a bot will try to complete the citation details for you. }}[{{#if:http://www.site.uottawa.ca/~aesse083/papers/aperio-WOTE.pdf%7Chttp://www.site.uottawa.ca/~aesse083/papers/aperio-WOTE.pdf%7Chttp://www.pubmedcentral.gov/articlerender.fcgi?tool=pmcentrez&artid={{{pmc}}}}} Aperio: High Integrity Elections for Developing Countries]

 |Aperio: High Integrity Elections for Developing Countries

}}{{#ifeq:

| no 
| 
| {{#if:|”|"}} 
}}{{#if: 
 |  (in {{{language}}})

}}{{#if:

 |  ({{{format}}})

}}{{#if:Essex

 |
 |  {{#if:2008
   | (2008)
   |{{#if:
     |{{#if:
       | ({{{month}}} {{{year}}})
       | ({{{year}}})
      }}
    }}
 }}

}}{{#if:IAVoSS Workshop On Trustworthy Elections

 |. IAVoSS Workshop On Trustworthy Elections

}}{{#if:

 | {{{volume}}}

}}{{#if:

 | ({{{issue}}})

}}{{#if:

 |: {{{pages}}}

}}{{#if:

 |. {{#if: 
   |{{{location}}}: 
 }}{{{publisher}}}

}}{{#if:

 |. doi:{{#if:  
    | {{{doi}}} (inactive [[]]) {{#ifeq:  |  | [[Category:Pages with DOIs broken since {{#time: Y |  }}]] }}
    | {{{doi}}}
   }}

}}{{#if:

 |. ISSN {{{issn}}}

}}{{#if:

 |. PMID {{{pmid}}}

}}{{#if:

 | {{#if:http://www.site.uottawa.ca/~aesse083/papers/aperio-WOTE.pdf |. PMC:{{{pmc}}}}}

}}{{#if:

 |. Bibcode{{{bibcode}}}

}}{{#if:

 |. OCLC {{{oclc}}}

}}{{#if:

 |. {{{id}}}

}}{{#if:

 |. Retrieved on [[{{{accessdate}}}]]{{#if:  | , [[{{{accessyear}}}]] }}

}}{{#if:

 |  Retrieved on {{{accessmonthday}}}, {{{accessyear}}}

}}{{#if:

 |  Retrieved on {{{accessdaymonth}}} {{{accessyear}}}

}}{{#if:

 |. [{{{laysummary}}} Lay summary]{{#if: | – {{{laysource}}}}}

}}{{#if:

 |  ([[{{{laydate}}}]])

}}.{{#if:

 |  “{{{quote}}}”

}} </ref> Steps in the tally can be recalculated by anyone to ensure its correctness. For this reason, the system is more accurately described as mathematical voting than electronic voting. The security of the system does not require any software to operate correctly, only that the mathematical operations are independently corroborated by all interested parties.<ref>{{

 #if: 

|{{

 #if: 
 |[[ |{{{inventor}}}{{
    #if: 
    |, 
  }}]]
 |{{{inventor}}}{{
    #if: 
    |, 
  }}

}}{{

 #if: 
 |{{
    #if: 
    |; 
    | & 
  }}{{
    #if: 
    |[[ | ]]
    | 
  }}{{
    #if: 
    | & {{
       #if: 
       |[[ | ]]
       | 
     }}{{
       #if:
       | et al.
     }}
  }}

}}{{

#if: Canadian voting machine enters American political machine
|, "Canadian voting machine enters American political machine"

}}, {{#if: http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}}

 | [http://v3.espacenet.com/textdoc?DB=EPODOC&IDX={{{country-code}}}{{{patent-number}}} {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}}] 
 | {{{country-code}}}{{
       #if: 
       | 
     }} {{{patent-number}}} 

}}{{

 #if: 
 |, published 

}}{{

 #if: 
 |, issued 

}}

| }}</ref>

Further Reading[edit]

Academic Papers[edit]

Articles[edit]

Notes[edit]

<references />

External Links[edit]