ThreeBallot
Encyclopedia
ThreeBallot is a voting protocol invented by Ron Rivest
.
ThreeBallot is an end-to-end (E2E) auditable voting system
that can in principle be implemented on paper. The goal in its design was to provide some of the benefits of a cryptographic voting system without using cryptography
.
A vote cannot be both verifiable and anonymous. ThreeBallot attempts to solve this problem by giving each voter three ballots: one verifiable, and two anonymous. The voter chooses which ballot is verifiable and keeps this secret; since the vote-counter does not know, there is a 1/3 chance of being discovered destroying or altering any single ballot. The voter is forced to make two of his three ballots cancel each other out, so that he can only vote once.
At the polling station, the voter makes a copy of any one of his three ballots.
Then, all three original ballots are dropped into the ballot box.
The voter keeps the one copy as a receipt.
At the end of the election, all ballots are published. Each ballot has a unique identifier
. Each voter may verify that his votes were counted by searching for the identifier on his receipt amongst the published ballots. However, because the voter selects which of his ballots he receives as a receipt, he can arrange for his receipt to bear any combination of markings. Thus voters cannot prove to another party who they voted for, eliminating vote-selling, coercion, etc . Rivest discusses other benefits and flaws in his paper.
.
A field test has found ThreeBallot to have significant privacy, security and usability problems. However, an electronic version addressing such problems was proposed by Costa, et al.
Ron Rivest
Ronald Linn Rivest is a cryptographer. He is the Andrew and Erna Viterbi Professor of Computer Science at MIT's Department of Electrical Engineering and Computer Science and a member of MIT's Computer Science and Artificial Intelligence Laboratory...
.
ThreeBallot is an end-to-end (E2E) auditable voting system
End-to-end auditable voting systems
End-to-end auditable or end-to-end voter verifiable systems are voting systems with stringent integrity properties and strong tamper-resistance. E2E systems often employ cryptographic methods to craft receipts that allow voters to verify that their votes were not modified, without revealing which...
that can in principle be implemented on paper. The goal in its design was to provide some of the benefits of a cryptographic voting system without using cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
.
A vote cannot be both verifiable and anonymous. ThreeBallot attempts to solve this problem by giving each voter three ballots: one verifiable, and two anonymous. The voter chooses which ballot is verifiable and keeps this secret; since the vote-counter does not know, there is a 1/3 chance of being discovered destroying or altering any single ballot. The voter is forced to make two of his three ballots cancel each other out, so that he can only vote once.
Goals
This theoretical system's goals include:- Each voter's vote is secret, preventing vote-selling and coercion.
- Each voter can verify that his vote was not discarded, and was correctly used and not altered, in the computation of the election result. (And if not, the voter is in a position to prove the vote counters cheated.)
- Everybody can verify the election result was computed correctly.
- Everybody can verify that extra fake "voters" were not added, and the full list of voters is publicly known.
- The method is designed for use with paper ballotBallotA ballot is a device used to record choices made by voters. Each voter uses one ballot, and ballots are not shared. In the simplest elections, a ballot may be a simple scrap of paper on which each voter writes in the name of a candidate, but governmental elections use pre-printed to protect the...
s and requires primarily low-tech devices, but is compatible with more advanced technologies.
Method
In the ThreeBallot Voting System voters are given three blank ballots, identical except for a unique identifier. To vote for a candidate the voter must select that candidate on two of the three ballots. To vote against a candidate (the equivalent of leaving a ballot blank in other systems) the voter must select that candidate on exactly one ballot. No candidate can be left blank in the ThreeBallot Voting System, and no candidate can be selected on all three ballots — this must be enforced by a trusted authority, which might be some mechanical apparatus, to prevent multiple-vote fraud. Because a for vote cannot necessarily be distinguished from an against vote once cast, multiple-vote fraud would facilitate vote-swapping and would not necessarily be detected in the tally-verification.At the polling station, the voter makes a copy of any one of his three ballots.
Then, all three original ballots are dropped into the ballot box.
The voter keeps the one copy as a receipt.
At the end of the election, all ballots are published. Each ballot has a unique identifier
Unique identifier
With reference to a given set of objects, a unique identifier is any identifier which is guaranteed to be unique among all identifiers used for those objects and for a specific purpose...
. Each voter may verify that his votes were counted by searching for the identifier on his receipt amongst the published ballots. However, because the voter selects which of his ballots he receives as a receipt, he can arrange for his receipt to bear any combination of markings. Thus voters cannot prove to another party who they voted for, eliminating vote-selling, coercion, etc . Rivest discusses other benefits and flaws in his paper.
.
A field test has found ThreeBallot to have significant privacy, security and usability problems. However, an electronic version addressing such problems was proposed by Costa, et al.