Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ronald L. Rivest MIT NASEM Future of Voting Meeting June 12, 2017

Published byPeregrine Spencer Modified over 6 years ago

Similar presentations

Presentation on theme: "Ronald L. Rivest MIT NASEM Future of Voting Meeting June 12, 2017"— Presentation transcript:

1 Ronald L. Rivest MIT NASEM Future of Voting Meeting June 12, 2017
Post-Election Audits Ronald L. Rivest MIT NASEM Future of Voting Meeting June 12, 2017

2 Who Really Won?

3 What happened? Who knows? How would you tell?
Recounts in WI, MI, PA stymied. Did ``Patriotic Russian Hackers” corrupt the election??

4 Evidence-Based Elections
An election should not only accurately figure out who won, but should also provide convincing evidence that the winner really won. (Stark & Wagner 2012)

5 Outline Security Requirements Software Independence
Auditing Paper Ballots

6 Security Requirements

7 Security Requirements
Only eligible voters may vote, at most once. Cast votes are secret (= secret ballot) even if voter wishes otherwise! No vote-selling! No receipt showing how you voted! Final outcome is verifiably correct. No ``trusted parties’’ – all are suspect! Vendors, voters, election officials, candidates, spouses, other nation-states, …

8 Software Independence
(Rivest & Wack, 2006)

9 And Who Do You Hope You Voted For?

10 Software Independence
Software is not to be trusted! A voting system is software independent if an undetected error in the software can not cause an undetectable change in the election outcome. Strongly software-independent if it is possible to correct any such outcome error Example: Voter-verified paper ballots, with possible hand recount.

11 Paper Ballots

12 1893 – “Australian” Paper Ballot

13 What is used now? Answer: 70-80% paper ballots
(Verified Voting) (DRE = Direct Recording by Electronics (Touch-Screen) VVPAT = Voter Verified Paper Audit Trail)

14 Election Process (paper ballots)
Print ballots; setup Mark Choices; Verify Vote; Cast Vote! Optical scanners give initial (“reported”) outcome Statistical audit of cast paper ballots by hand to confirm/disprove reported outcome “Brush your teeth; eat your spinach; audit your elections!” Vora

15 Auditing of Paper Ballots

16 Two auditing paradigms
Ballot-polling audits: Uses the cast paper ballots only. Like ``exit poll’’ of ballots… Comparison audits: Compares paper ballot with corresponding electronic ``cast vote’’ records (CVRs) Comparison audit more efficient by a factor of roughly (1 / margin-of-victory).

17 General audit structure
Cast Votes Sample Draw initial random sample of paper votes. Interpret them by hand. Stop if reported outcome is now confirmed to desired confidence level. If all ballots now examined, you are done. Otherwise increase sample size; return to 2.

18 Frequentist Risk-Limiting audit
(Frequentist) Risk-limiting audit: chance that an incorrect reported outcome is accepted as correct by audit is at most given risk limit α (e.g. 0.05). Bravo [LSY’12] ballot-polling audit accumulates, over sampled votes, product of A/2 or B/2 where A, B are reported vote-shares for Alice, Bob. Audit stops when product exceed 1/ α .

19 ClipAudit [R17] Suppose Alice and Bob are top two candidates, with Alice as reported winner, having a, b votes respectively in current sample. Audit keeps expanding sample, examining more randomly-chosen ballots by hand, until a > b and ( a – b )2 > 3 ( a + b ) Risk limit α is about five percent.

20 Auditing other outcome rules

21 Other outcome rules Not all elections are plurality
Some are ranked-choice: ballot gives voter’s preferences: Alice > Charles > Dana > Bob An ``outcome rule’’ maps a set of ballots to an outcome. Example: IRV (Instant Runoff Voting) – Keep eliminating candidate with fewest first-choice votes until some candidate has a majority of first-choice votes. (Used in San Francisco) How to audit complex outcome rules??

22 Bayesian risk-limiting audits [RS’12]
(Bayesian) risk-limiting audit: stops audit when chance that reported outcome is wrong is less than given risk limit (e.g. risk limit α = 0.05). Bayesian audits are ``black-box”: they work for any outcome rule Bayesian audits: draw a random sample produce variations of the sample find winners of variant samples using outcome rule iterate if not enough variants give reported outcome

23 ``Many half-samples’’ audit [R17]
Cast Votes On laptop generate 1,000,000 “variant samples,” each a random half-size sample of the original sample. Stop audit if >95% of all variant samples yield the reported outcome. Draw sample Sample Variant Variant On laptop Variant

24 Conclusions We can make elections much more secure with post-election audits.

25 The End Thanks for your attention!

Download ppt "Ronald L. Rivest MIT NASEM Future of Voting Meeting June 12, 2017"

Similar presentations

I Think I Voted. E-voting vs. Democracy Prof. David L. Dill Department of Computer Science Stanford University

I Think I Voted. E-voting vs. Democracy Prof. David L. Dill Department of Computer Science Stanford University
Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.
Electronic Voting Systems

Electronic Voting Systems
Excursions in Modern Mathematics, 7e: 1.3 - 2Copyright © 2010 Pearson Education, Inc. 1 The Mathematics of Voting 1.1Preference Ballots and Preference.

Excursions in Modern Mathematics, 7e: Copyright © 2010 Pearson Education, Inc. 1 The Mathematics of Voting 1.1Preference Ballots and Preference.
Will Your Vote Count? Will your vote count? Voting machine choices N.C. Coalition for Verified Voting www.ncvoter.net Joyce McCloy Pros and Cons of voting.

Will Your Vote Count? Will your vote count? Voting machine choices N.C. Coalition for Verified Voting Joyce McCloy Pros and Cons of voting.
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project.

A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project.
Lesson 7: The Voting Process. Opening Discussion Have you ever voted for something before? How was the winner decided? Did you think the process was fair?

Lesson 7: The Voting Process. Opening Discussion Have you ever voted for something before? How was the winner decided? Did you think the process was fair?
Muppets Use Instant Runoff Voting. Starting in the early '90s, the Henson production company started to pay the Muppets with stock options rather than.

Muppets Use Instant Runoff Voting. Starting in the early '90s, the Henson production company started to pay the Muppets with stock options rather than.
Juan E. Gilbert, Ph.D. Human Centered Computing Lab Prime III Universal Accessibility Juan E. Gilbert, Ph.D. IDEaS Professor Chair Human-Centered Computing.

Juan E. Gilbert, Ph.D. Human Centered Computing Lab Prime III Universal Accessibility Juan E. Gilbert, Ph.D. IDEaS Professor Chair Human-Centered Computing.
Lesson 7: The Voting Process

Lesson 7: The Voting Process
Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, 18-19 March 2010.

Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, March 2010.
August 6, 2007Electronic Voting Technology 2007 On Estimating the Size and Confidence of a Statistical Audit Javed A. Aslam College of Computer and Information.

August 6, 2007Electronic Voting Technology 2007 On Estimating the Size and Confidence of a Statistical Audit Javed A. Aslam College of Computer and Information.
Objectives Analyze how the administration of elections in the United States helps make democracy work. Define the role of local precincts and polling places.

Objectives Analyze how the administration of elections in the United States helps make democracy work. Define the role of local precincts and polling places.
Audit Purpose of Audit Quality assurance procedure Check accuracy of machine tally of ballots Ballots for a contest are sampled, manually verified, and.

Audit Purpose of Audit Quality assurance procedure Check accuracy of machine tally of ballots Ballots for a contest are sampled, manually verified, and.
TOWARDS OPEN VOTE VERIFICATION METHOD IN E-VOTING Ali Fawzi Najm Al-Shammari17’th July2012 Sec Vote 2012.

TOWARDS OPEN VOTE VERIFICATION METHOD IN E-VOTING Ali Fawzi Najm Al-Shammari17’th July2012 Sec Vote 2012.
American Government and Organization PS1301 Monday, 2 February.

American Government and Organization PS1301 Monday, 2 February.
California Secretary of State Voting Systems Testing Summit November 28 & 29, 2005, Sacramento, California Remarks by Kim Alexander, President, California.

California Secretary of State Voting Systems Testing Summit November 28 & 29, 2005, Sacramento, California Remarks by Kim Alexander, President, California.
Electronic Voting: The 2004 Election and Beyond Prof. David L. Dill Department of Computer Science Stanford University

Electronic Voting: The 2004 Election and Beyond Prof. David L. Dill Department of Computer Science Stanford University
Objectives Analyze how the administration of elections in the United States helps make democracy work. Define the role of local precincts and polling places.

Objectives Analyze how the administration of elections in the United States helps make democracy work. Define the role of local precincts and polling places.

Similar presentations

Ads by Google