skip to main content
Explore Scholarly Publications and Datasets in the NSF-PAR

Title: VoteXX: A Solution to Improper Influence in Voter-Verifiable Elections
We solve a long-standing challenge to the integrity of votes cast without the supervision of a voting booth: ``{\it improper influence},'' which typically refers to any combination of vote buying and voter coercion. Our approach allows each voter, or their trusted agents (which we call ``{\it hedgehogs}''), to {\it ``nullify''} (effectively cancel) their vote in a way that is unstoppable, irrevocable, and forever unattributable to the voter. In particular, our approach enhances security of online, remote, public-sector elections, for which there is a growing need and the threat of improper influence is most acute. We introduce the new approach, give detailed cryptographic protocols, show how it can be applied to several voting settings, and describe our implementation. The protocols compose a full voting system, which we call {\it {\votexx}}, including registration, voting, nullification, and tallying---using an anonymous communication system for registration, vote casting, and other communication in the system. We demonstrate how the technique can be applied to known systems, including where ballots can be mailed to voters and voters use codes on the ballot to cast their votes online. In comparison with previous proposals, our system makes fewer assumptions and protects against a strong adversary who learns all of the voter's keys. In {\votexx}, each voter has two public-private key pairs. Without revealing their more » private keys, each voter registers their public keys with the election authority. Each voter may share their keys with one or more hedgehogs. During nullification, the voter, or one or more of their hedgehogs, can interact through the anonymous communication system to nullify a vote by proving knowledge of one of the voter's private keys via a zero-knowledge proof without revealing the private key. We describe a fully decentralizable implementation of {\votexx}, including its public bulletin board, which could be implemented on a blockchain. « less
Authors:
; ; ; ; ; ; ; ; ;
Award ID(s):
1753681
Publication Date:
NSF-PAR ID:
10339514
Journal Name:
E-VOTE-ID 2022, to appear
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ( , International Journal of Information Security, submitted)
    A boardroom election is an election with a small number of voters carried out with public communications. We present BVOT, a self-tallying boardroom voting protocol with ballot secrecy, fairness (no tally information is available before the polls close), and dispute-freeness (voters can observe that all voters correctly followed the protocol). BVOT works by using a multiparty threshold homomorphic encryption system in which each candidate is associated with a set of masked primes. Each voter engages in an oblivious transfer with an untrusted distributor: the voter selects the index of a prime associated with a candidate and receives the selected prime in masked form. The voter then casts their vote by encrypting their masked prime and broadcasting it to everyone. The distributor does not learn the voter's choice, and no one learns the mapping between primes and candidates until the audit phase. By hiding the mapping between primes and candidates, BVOT provides voters with insufficient information to carry out effective cheating. The threshold feature prevents anyone from computing any partial tally---until everyone has voted. Multiplying all votes, their decryption shares, and the unmasking factor yields a product of the primes each raised to the number of votes received. In contrast tomore »some existing boardroom voting protocols, BVOT does not rely on any zero-knowledge proof; instead, it uses oblivious transfer to assure ballot secrecy and correct vote casting. Also, BVOT can handle multiple candidates in one election. BVOT prevents cheating by hiding crucial information: an attempt to increase the tally of one candidate might increase the tally of another candidate. After all votes are cast, any party can tally the votes.« less
  2. ; ; ; ( , Cryptologia)
    We present Phrase-Verified Voting, a voter-verifiable remote voting system easily assembled from commercial off-the-shelf software for small private elections. The system is transparent and enables each voter to verify that the tally includes their ballot selection without requiring any understanding of cryptography. This system is an example of making voter verification usable. The paper describes the system and an experience with it in fall 2020, to vote remotely in promotion committees in a university. Each voter fills out a form in the cloud with their selection $V$ for each race and a two-word passphrase $P$. The system generates a verification prompt of the $(V,P)$ pairs and a tally of the votes, organized to help visualize how the votes add up. After the polls close, each voter verifies that this table lists their $(V,P)$ pair and that the tally is computed correctly. The system is especially appropriate for any small group making sensitive decisions. Because the system would not prevent a coercer from demanding that their victim use a specified passphrase, it is not designed for applications where such malfeasance would be likely or go undetected. Results from 43 voters show that the system performed effectively for its intended purpose, andmore »introduced users to the concept of voter-verified elections. Compared to the commonly-used alternatives of paper ballots or voting by email, voters found the system easier to use, and that it provided greater privacy and outcome integrity.« less
  3. ; ; ( , Digital Threats: Research and Practice)
    U.S. elections rely heavily on computers such as voter registration databases, electronic pollbooks, voting machines, scanners, tabulators, and results reporting websites. These introduce digital threats to election outcomes. Risk-limiting audits (RLAs) mitigate threats to some of these systems by manually inspecting random samples of ballot cards. RLAs have a large chance of correcting wrong outcomes (by conducting a full manual tabulation of a trustworthy record of the votes), but can save labor when reported outcomes are correct. This efficiency is eroded when sampling cannot be targeted to ballot cards that contain the contest(s) under audit. If the sample is drawn from all cast cards, then RLA sample sizes scale like the reciprocal of the fraction of ballot cards that contain the contest(s) under audit. That fraction shrinks as the number of cards per ballot grows (i.e., when elections contain more contests) and as the fraction of ballots that contain the contest decreases (i.e., when a smaller percentage of voters are eligible to vote in the contest). States that conduct RLAs of contests on multi-card ballots or RLAs of small contests can dramatically reduce sample sizes by using information about which ballot cards contain which contests—by keeping track of card-style datamore »(CSD). For instance, CSD reduce the expected number of draws needed to audit a single countywide contest on a 4-card ballot by 75%. Similarly, CSD reduce the expected number of draws by 95% or more for an audit of two contests with the same margin on a 4-card ballot if one contest is on every ballot and the other is on 10% of ballots. In realistic examples, the savings can be several orders of magnitude.« less
  4. ( , Ph.D. Dissertation, Department of Government, Harvard University)
    With each successive election since at least 1994, congressional elections in the United States have transitioned toward nationalized two-party government. Fewer voters split their tickets for different parties between President and Congress. Regional blocs and incumbency voting --- a key feature of U.S. elections in the latter 20th century --- appear to have given way to strong party discipline among candidates and nationalized partisanship among voters. Observers of modern American politics are therefore tempted to write off the importance of the swing voter, defined here as voters who are indifferent between the two parties and thus likely to split their ticket or switch their party support. By assembling data from historical elections (1950 -- 2020), surveys (2008 -- 2018), and cast vote record data (2010 -- 2018), and through developing statistical methods to analyze such data, I argue that although they comprise a smaller portion of the electorate, each swing voter is disproportionately decisive in modern American politics, a phenomenon I call the swing voter paradox. Historical comparisons across Congressional, state executive, and state legislative elections confirm the decline in aggregate measures of ticket splitting suggested in past work. But the same indicator has not declined nearly as much inmore »county legislative or county sheriff elections (Chapter 1). Ticket splitters and party switchers tend to be voters with low news interest and ideological moderate. Consistent with a spatial voting model with valence, voters also become ticket splitters when incumbents run (Chapter 2). I then provide one of the first direct measures of ticket splitting instate and local office using cast vote records. I find that ticket splitting is more prevalent in state and local elections (Chapter 3). This is surprising given the conventional wisdom that party labels serve as heuristics and down-ballot elections are low information environments. A major barrier for existing studies of the swing voter lies in the measurement from incomplete electoral data. Traditional methods struggle to extract information about subgroups from large surveys or cast vote records, because of small subgroup samples, multi-dimensional data, and systematic missingness. I therefore develop a procedure for reweighting surveys to small areas through expanding poststratification targets (Chapter 4), and a clustering algorithm for survey or ballot data with multiple offices to extract interpretable voting blocs (Chapter 5). I provide open-source software to implement both methods. These findings challenge a common characterization of modern American politics as one dominated by rigidly polarized parties and partisans. The picture that emerges instead is one where swing voters are rare but can dramatically decide the party in power, and where no single demographic group is a swing voter. Instead of entrenching elections into red states and blue states, nationalization may heighten the role of the persuadable voter.« less
  5. ; ; ( , Political Analysis)
    Abstract We extend classical ideal point estimation to allow voters to have different preferences when voting in different domains—for example, when voting on agricultural policy than when voting on defense policy. Our scaling procedure results in estimated ideal points on a common scale. As a result, we are able to directly compare a member’s revealed preferences across different domains of voting (different sets of motions) to assess if, for example, a member votes more conservatively on agriculture motions than on defense. In doing so, we are able to assess the extent to which voting behavior of an individual voter is consistent with a uni-dimensional spatial model—if a member has the same preferences in all domains. The key novelty is to estimate rather than assume the identity of “stayers”—voters whose revealed preference is constant across votes. Our approach offers methodology for investigating the relationship between the basic space and issue space in legislative voting (Poole 2007). There are several methodological advantages to our approach. First, our model allows for testing sharp hypotheses. Second, the methodology developed can be understood as a kind of partial-pooling model for item response theory scaling, resulting in less uncertainty of estimates. Related, our estimation method providesmore »a principled and unified approach to the issue of “granularity” (i.e., the level of aggregation) in the analysis of roll-call data (Crespin and Rohde 2010; Roberts et al. 2016). We illustrate the model by estimating U.S. House of Representatives members’ revealed preferences in different policy domains, and identify several other potential applications of the model including: studying the relationship between committee and floor voting behavior; and investigating constituency influence and representation.« less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email