Voting systems require end-to-end trustworthiness, commencing with blank ballots and registration lists and concluding with the correct and auditable tallies of the marked ballots, reflecting the choices of the voters. This ballot round trip must resist well financed and organized adversaries that may include the very people who develop, maintain, or deploy the election machinery, and the process must be accessible to all citizens regardless of their disabilities or native language. The center's research investigates software architectures, tamper-resistant hardware, cryptographic protocols, and the role that various verification systems (e.g. paper, audio, cryptographic) can play in electronic voting systems. The center also examines system usability and studies how public policy and administrative procedures can, in combination with technology, better safeguard voting systems.
The voting system integrity problem is a paradigmatic hard Cyber Trust problem, requiring trustworthy system architectures, security, integrity, privacy, anonymity, high assurance, and human-machine interfaces. Voting systems must preserve a voter's privacy and anonymity, to reduce risks of voter coercion and bribery, yet they must be sufficiently auditable and transparent to allow for mistakes and errors to be identified and reconciled. This center's research develops a deeper understanding of how to organize, develop, and evaluate not only voting systems, but a wide range of other systems with end-to-end trustworthiness requirements.
This project was part of the National Science Foundation's Cyber Trust program, which is intended to bring the skills of investigators in different research areas to protecting our networked computer infrastructure from hostile attack. The project was to study voting as an example of a critical system that needs to be protected, with the additional hope that many of the results would be applicable to a broader range of problems. There were several institutions involved, including research groups at the University of California at Berkeley, the University of Iowa, Johns-Hopkins University, Rice University, SRI International, and Stanford University. This report is on work conducted at Stanford. Our research covered a range of issues related to voting. At the most practical level, we studied operations in several election jurisdictions and proposed new procedures the make elections more trustworthy. For example, California has an "auditing" procedure for elections where paper ballots are hand-counted in randomly-chosen precincts to ensure the accuracy of electronic counts. The integrity of this process depends on getting a number of details right. In collaboration with project members at Berkeley, we devised a simple procedure where 10-sided dice are rolled in public to choose the precincts to be audited, and worked out all of the details of how it should be done. This process is now in use in several California counties. Another problem we addressed was evaluating the security of a whole system, including computers, procedures, and people. We developed a method for doing this based on "attack trees", which provide a way to organize all of the potential attacks on a system, along with defenses against those attacks, along with "costs" of the attacks (which could be related to the difficulty of the attack, its probability, or the damage it causes). We built a prototype software tool to help with this task, and, along with researchers from Berkeley and SRI, International, applied it to a system-wide evaluation of elections in Marin County, California. We also developed new methods to protect votes stored on a an electronic voting machine during election day. Our method can be used as a drop-in augmentation to existing storage systems and prevents mid-election day tampering with stored votes. The core idea is called "append-only history-independent signatures" which is a type of digital signature that ensures that previously signed data cannot be erased, and hides the order in which data is signed (hiding the order of electronic ballots is necessary to preserve voter privacy). We used advanced cryptographic techniques to do this efficiently. We implemented a vote storage system that uses our append-only history-independent signatures and showed that it performs well and can be used in real-world voting equipment. Finally, since many computer security problems result from programming errors, we developed new computerized techniques for checking the correctness of some of the cryptographic functions that are most widely used. These are the basis for almost all secure communication over computer networks, including e-commerce. Our methods were based on automated theorem proving. Using them, we were able to automatically prove the correctness of several cryptographic functions that had not previously been proved correct.
