Scantegrity
Encyclopedia
Scantegrity is a security enhancement for optical scan voting system
s, providing such systems with end-to-end (E2E)
verifiability of election results. It uses confirmation codes to allow a voter to prove to themselves that their ballot is included unmodified in the final tally. The codes are privacy-preserving and offer no proof of which candidate a voter voted for. Receipts can be safely shown without compromising ballot secrecy.
Scantegrity II prints the confirmation codes in invisible ink
to improve usability and dispute resolution. As the system relies on cryptographic techniques, the ability to validate an election outcome is both software independent
as well as independent of faults in the physical chain-of-custody
of the paper ballots. The system was developed by a team of researchers including cryptographers David Chaum
and Ron Rivest
.
s produce an electronic tally
, while maintaining the original paper ballots which can be rescanned or manually hand-counted to provide an ostensibly corroborative tally. However, the correctness of each of these tallies requires the voter to either trust that the software is error-free and has not been hacked, or that the physical chain-of-custody of the ballots has not been broken at any point. Other E2E voting systems such as Punchscan
and ThreeBallot
, address these issues but require existing polling place equipment and procedures to be greatly altered or replaced. In contrast, Scantegrity is an add-on
meant to be used in conjunction with existing optical scan equipment, thereby requiring fewer hardware and software and procedural modifications.
For all other voters, the ballot marking procedure is essentially identical to conventional optical scan paper-ballots. Similarly, the underlying system still produces both an electronic tally as well as a human readable paper trail through which manual recounts can still be conducted.
, except that each voting response location contains a random confirmation code printed in invisible ink
. The voter marks the location using a specially provided "decoder" pen, which activates the invisible ink causing it to darken, revealing a confirmation code.
Voters wishing to verify that their vote is unmodified may write down the confirmation codes for each race on a detachable chit that contains the ballot's serial number. Otherwise, the voter can simply ignore the code and continue to mark and cast their ballot as normal.
The confirmation codes are randomly assigned to the ballots, allowing voters to freely share their codes while keeping their votes secret. The codes are also pre-committed
to a committee of mutually-distrustful entities (such as representatives of each political party) so that the confirmation codes cannot be changed or misprinted without detection. Voters may request additional ballots to audit—they ensure the ballots are properly printed by revealing all the codes and comparing these to the codes committed to.
and Prêt à Voter
. Steps in the tally can be recalculated by anyone to ensure its correctness. For this reason, the system is more accurately described as mathematical voting than electronic voting. The security of the system does not require any software to operate correctly, only that the mathematical operations are independently corroborated by all interested parties.
used Scantegrity II for its November, 2009 election.
Optical scan voting system
An optical scan voting system is an electronic voting system and uses an optical scanner to read marked paper ballots and tally the results.-History:...
s, providing such systems with end-to-end (E2E)
End-to-end auditable voting systems
End-to-end auditable or end-to-end voter verifiable systems are voting systems with stringent integrity properties and strong tamper-resistance. E2E systems often employ cryptographic methods to craft receipts that allow voters to verify that their votes were not modified, without revealing which...
verifiability of election results. It uses confirmation codes to allow a voter to prove to themselves that their ballot is included unmodified in the final tally. The codes are privacy-preserving and offer no proof of which candidate a voter voted for. Receipts can be safely shown without compromising ballot secrecy.
Scantegrity II prints the confirmation codes in invisible ink
Invisible ink
Invisible ink, also known as security ink, is a substance used for writing, which is invisible either on application or soon thereafter, and which later on can be made visible by some means. Invisible ink is one form of steganography, and it has been used in espionage...
to improve usability and dispute resolution. As the system relies on cryptographic techniques, the ability to validate an election outcome is both software independent
Software independence
The term "software independence" was coined by Dr. Ron Rivest and NIST researcher John Wack. A software independent voting machine is one whose tabulation record does not rely solely on software...
as well as independent of faults in the physical chain-of-custody
Chain of custody
Chain of custody refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic...
of the paper ballots. The system was developed by a team of researchers including cryptographers David Chaum
David Chaum
David Chaum is the inventor of many cryptographic protocols, including blind signature schemes, commitment schemes, and digital cash. In 1982, Chaum founded the International Association for Cryptologic Research , which currently organizes academic conferences in cryptography research...
and Ron Rivest
Ron Rivest
Ronald Linn Rivest is a cryptographer. He is the Andrew and Erna Viterbi Professor of Computer Science at MIT's Department of Electrical Engineering and Computer Science and a member of MIT's Computer Science and Artificial Intelligence Laboratory...
.
Advantages
Optical scan voting systemOptical scan voting system
An optical scan voting system is an electronic voting system and uses an optical scanner to read marked paper ballots and tally the results.-History:...
s produce an electronic tally
Tally (voting)
A tally is an unofficial private observation of an election count carried out under Proportional Representation using the Single Transferable Vote. Tallymen, predominantly a feature of the Irish electoral process, are appointed by political candidates and parties. They observe the opening of...
, while maintaining the original paper ballots which can be rescanned or manually hand-counted to provide an ostensibly corroborative tally. However, the correctness of each of these tallies requires the voter to either trust that the software is error-free and has not been hacked, or that the physical chain-of-custody of the ballots has not been broken at any point. Other E2E voting systems such as Punchscan
Punchscan
Punchscan is an optical scan vote counting system invented by cryptographer David Chaum. Punchscan is designed to offer integrity, privacy, and transparency. The system is voter-verifiable, provides an end-to-end audit mechanism, and issues a ballot receipt to each voter...
and ThreeBallot
ThreeBallot
ThreeBallot is a voting protocol invented by Ron Rivest.ThreeBallot is an end-to-end auditable voting system that can in principle be implemented on paper. The goal in its design was to provide some of the benefits of a cryptographic voting system without using cryptography.A vote cannot be both...
, address these issues but require existing polling place equipment and procedures to be greatly altered or replaced. In contrast, Scantegrity is an add-on
Retrofit
Retrofitting refers to the addition of new technology or features to older systems.* power plant retrofit, improving power plant efficiency / increasing output / reducing emissions...
meant to be used in conjunction with existing optical scan equipment, thereby requiring fewer hardware and software and procedural modifications.
For all other voters, the ballot marking procedure is essentially identical to conventional optical scan paper-ballots. Similarly, the underlying system still produces both an electronic tally as well as a human readable paper trail through which manual recounts can still be conducted.
Method
The Scantegrity II voting procedure is similar to that of a traditional optical scan voting systemOptical scan voting system
An optical scan voting system is an electronic voting system and uses an optical scanner to read marked paper ballots and tally the results.-History:...
, except that each voting response location contains a random confirmation code printed in invisible ink
Invisible ink
Invisible ink, also known as security ink, is a substance used for writing, which is invisible either on application or soon thereafter, and which later on can be made visible by some means. Invisible ink is one form of steganography, and it has been used in espionage...
. The voter marks the location using a specially provided "decoder" pen, which activates the invisible ink causing it to darken, revealing a confirmation code.
Voters wishing to verify that their vote is unmodified may write down the confirmation codes for each race on a detachable chit that contains the ballot's serial number. Otherwise, the voter can simply ignore the code and continue to mark and cast their ballot as normal.
The confirmation codes are randomly assigned to the ballots, allowing voters to freely share their codes while keeping their votes secret. The codes are also pre-committed
Commitment scheme
In cryptography, a commitment scheme allows one to commit to a value while keeping it hidden, with the ability to reveal the committed value later. Commitments are used to bind a party to a value so that they cannot adapt to other messages in order to gain some kind of inappropriate advantage...
to a committee of mutually-distrustful entities (such as representatives of each political party) so that the confirmation codes cannot be changed or misprinted without detection. Voters may request additional ballots to audit—they ensure the ballots are properly printed by revealing all the codes and comparing these to the codes committed to.
Checking
After the election is finished, the election authority publicly posts a list of confirmation codes for the positions marked on each ballot it received. Voters who wrote down their codes can verify that the codes are correct for their ballot number and that no codes were added or removed. If the posted record is incorrect, the voter may file a dispute. Spurious disputes can be excluded from consideration by comparing the claimed codes to the set of possible codes for a given contest on a ballot—the probability of randomly guessing a code that actually appeared on the ballot is low.Verification
After the election, the trustees generate an independent tally from the voter-verifiable list of ballots and confirmation codes. Since the link between a confirmation code and the candidate voted for must remain secret, the tally is generated using an anonymity-preserving backend. Many such backends have been proposed for tallying votes, including the ones used by PunchscanPunchscan
Punchscan is an optical scan vote counting system invented by cryptographer David Chaum. Punchscan is designed to offer integrity, privacy, and transparency. The system is voter-verifiable, provides an end-to-end audit mechanism, and issues a ballot receipt to each voter...
and Prêt à Voter
Prêt à Voter
Prêt à Voter is an E2E voting system devised by Peter Ryan of the University of Luxembourg. It aims to provide guarantees of accuracy of the count and ballot privacy that are independent of software, hardware etc. Assurance of accuracy flows from maximal transparency of the process, consistent with...
. Steps in the tally can be recalculated by anyone to ensure its correctness. For this reason, the system is more accurately described as mathematical voting than electronic voting. The security of the system does not require any software to operate correctly, only that the mathematical operations are independently corroborated by all interested parties.
Use in public elections
The city of Takoma Park, MarylandTakoma Park, Maryland
Takoma Park is a city in Montgomery County, Maryland, United States. It is a suburb of Washington, D.C., and part of the Washington Metropolitan Area. Founded in 1883 and incorporated in 1890, Takoma Park, informally called "Azalea City," is a Tree City USA and a nuclear-free zone...
used Scantegrity II for its November, 2009 election.
Further reading
- Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes. 2008.
- Scantegrity: End-to-End Voter Verifiable Optical-Scan Voting. 2008.
- A Really Secret Ballot, (The EconomistThe EconomistThe Economist is an English-language weekly news and international affairs publication owned by The Economist Newspaper Ltd. and edited in offices in the City of Westminster, London, England. Continuous publication began under founder James Wilson in September 1843...
). - Clean Elections, (Communications of the ACMCommunications of the ACMCommunications of the ACM is the flagship monthly journal of the Association for Computing Machinery . First published in 1957, CACM is sent to all ACM members, currently numbering about 80,000. The articles are intended for readers with backgrounds in all areas of computer science and information...
). - Protecting Your Vote With Invisible Ink (Discover Magazine).
- Flawless Vote Counts (Technology ReviewTechnology ReviewTechnology Review is a magazine published by the Massachusetts Institute of Technology. It was founded in 1899 as "The Technology Review", and was re-launched without the "The" in its name on April 23, 1998 under then publisher R. Bruce Journey...
). - Click Here For President: The Future of Voting in America (MSN Tech & Gadgets).
- Shift Back to Paper Ballots Sparks Disagreement (Morning EditionMorning EditionMorning Edition is an American radio news program produced and distributed by National Public Radio . It airs weekday mornings and runs for two hours, and many stations repeat one or both hours. The show feeds live from 05:00 to 09:00 ET, with feeds and updates as required until noon...
). - Down for the Count (ACM netWorkerAssociation for Computing MachineryThe Association for Computing Machinery is a learned society for computing. It was founded in 1947 as the world's first scientific and educational computing society. Its membership is more than 92,000 as of 2009...
). - Canadian voting machine enters American political machine (InterGovWorld).
- Maryland Voters Test New Cryptographic Voting System (Wired NewsWired NewsWired News is an online technology news website, formerly known as HotWired, that split off from Wired magazine when the magazine was purchased by Condé Nast Publishing in the 1990s. Wired News was owned by Lycos not long after the split, until Condé Nast purchased Wired News on July 11, 2006...
)
External links
- Scantegrity.org
- Scantegrity II video presentation
- Ben Adida's Takoma Park election blog