What if we could use technology to fundamentally change the way that we provide election security? To make elections that were more secure, more verifiable with higher voter confidence than, than ever before. This is the promise that is driving a very active field of research in computer science today. Into what are called end to end verifiable voting systems. So as, as a voter today you don't really know what's happening behind the curtain. Even if the process is observable few voters will actually be there to watch it. You, you'll probably have to trust other people to be there making sure that everything's being done right. Often you don't even get to choose who those people are so there's always going to be some room for doubt in the back of your mind that your vote was counted correctly. But let's say we wanted to have some way to dispel this doubt. We actually wanted to have a system that, that could give every voter some notion of verifiability. So, this is what end to end or E2E voter verifiability is all about. In an E2E system, as a voter you can be sure that your vote is cast as you intended, that your vote is counted as you cast it and that all votes are counted as cast. And this isn't just in principle, I mean you can verify that your personal vote was counted the way you cast it. So let me give you a thought experiment to prove that this is at least possible in principle. So what if our voting system involved the following. We were going to collect everyone's ballot and then the next day in the newspaper we're going to print everyone's name and address together with how they voted. So we can see that this provides these properties. You can verify that your vote was cast the way you intended. You can verify it was counted the way you cast it. It's going to be possible for every voter to do that. So you can be sure that if there's significant discrepancies, they're going to be caught. There's one major problem with this, it's not a secret ballot. So the question is, can we provide a system that has all these verifiability properties, but also ensures that no voter can demonstrate how he or she voted to a third party, that provides a strong notion of ballot secrecy. Many researchers think the answer is yes. We can provide a system that is both verifiable and maintains the secret ballot And the way that they propose to do this is by introducing computer cryptography to the process. So here's how the voting process might look to a, a voter using an E2E verifiable voting system. They vote normally using the, the whatever process they use being it a DRE or an op- scan paper ballot. But at the end of the process they'd get a verifiable receipt, maybe something that looks like this. So the receipt is something you can take home with you but it provides a secret ballot because it, it doesn't show how you voted. Instead you get a long sequence of letters and digits or a bar code. Either of these is essentially a computer record of your vote that's been encrypted with a secret key you don't have. So this is going to be something that you can use to check that your individual ballot was counted correctly but that can't be used to prove to anyone else how you voted. We're also going to have to change the way that the election results are posted. Instead of publishing in the newspaper the way everyone voted, we're going to replace those voter choices with the same kind of encrypted form of each person's ballot. So, now you have a way to check your result and to check that it's actually been incorporated into the count. The first thing you can check is that the election total is correct. And so the way this happens is that you can take all of those encrypted ballots that were published in the paper, and perform a mathematical proof that shows that they add up to whatever totals have been announced on election day. I'll show you a bit about how that works later. But now, any voter who cares to do so can A, check that their own encrypted ballots are listed in the totals, can check that the other voters whose names appear there are legitimate voters, the officials haven't just made up people along with their votes, and they can check the mathematical proof of the correctness of the tally. So these things together provide you with very strong evidence that the election outcome was correct. And you can do this without having to trust that the people performing the counts were doing their jobs correctly or that they're fundamentally honest. So, this is the promise of E2E verifiable systems. So one neat thing about E2E is that it won't necessarily change what voters have to do. Voter participation is fundamentally optional. Voters can use their receipts to check that their results are properly recorded, or they can just throw their receipts in the trash. If enough voters check, however, this is like a, a form of distributed audit, and any large fraud is extremely likely to be caught. The other thing that voters can do is try to verify the accuracy of that mathematical proof that the announced totals match the published receipts or the encrypted votes. They can either verify the accuracy using an application that they wrote themselves, because the cryptography is all publicly described. Or they can download applications to do this from a source that they trust. Or they can just believe verifications that are done and published by political parties or other institutions they trust. Or they can just do what they do now, accept the results without question. So this sounds great. Potentially this would be a, a huge security advantage. But there are lots of details we have to get right. Two of the most important questions are, how do voters know that these receipts they get actually match their choices? They could just be random numbers that have been made up, or encryptions of some other vote. The second question is, how are voters supposed to be convinced that the published encrypted votes actually correspond to the announced tallies? How does that process of the mathematical proof work, and is it going to be convincing for voters? So here's one way an E2E system could convince you that, that encrypted receipt actaully matches the choices on your ballot. So let's see you're at the polls and you're about to cast your ballot, you've already filled it out and you've received an, a receipt that's allegedly the encryption of your ballot. This kind of scheme, would give you a choice. You can either cast the ballot then and there and accept that the receipt is correct, or you can challenge the receipt. If you cast, your ballot will go into the box. If you challenge, then the election officials will have to decrypt that encrypted ballot, and show you that it actually matches your choices. So in this way you can repeat this challenge process as many times as you want until you're satisfied. If at any point you open it up and, you find that it's not your intended vote then that's evidence that the system was trying to cheat, and we can proceed to investigate and find the cause. So end to end systems have been a subject of research for many years now. But only in the, the past few years have they started to emerge from the laboratory, and be something that's, that's been tested in actual practice. Probably the system that's gotten the most use and most real world experience is one called Scantegrity. Scantegrity is an end to end verifiable voting system that is used with optical scan paper ballots of the type that we're all familiar with. It involves just a few changes to the process from the voter's perspective. First you're given a ballot that has bubbles that are pre-printed with verification codes written in invisible ink. You use a special pen to cast your vote and mark the bubbles and when you mark a bubble you're given a short alphanumeric code that corresponds to each choice you made. The voter gets to write these codes down, together with the serial number of the ballot, and that forms their cryptographic receipt. Then after the election, voters can go online and use a website to verify that their receipt matches the ballot that's been recorded. And they can verify later through a public audit process that all of the other votes were totaled up correctly and match the official tallies. Scantegrity is great because it's just a fairly simple addition to existing optical scan balloting. But it provides these, these end to end verifiable properties, for voters who, who would like to take advantage of them. And if enough voters do, that strengthens the process for everyone. Because it's like another form of distributed audit. Scantegrity has been tested now in two real elections for public office, both in Tacoma Park, Maryland, in 2009 and then in 2011. The researchers learned a lot from these processes and have gone back to the lab in hopes of perfecting the system and making it something that's broadly usable in other places as well. Another E2E system that has recently emerged form the lab is a system called Helios and unlike Scantegrity, Helios is designed for online elections. Voters visit a website and fill out their ballot in a form in their browser and then they're given a cryptographic receipt in the form of a block of text that they can copy out of the browser program. Voter's can verify this receipt in several ways, either directly through the Helios website. Or if they don't trust it they can go to a independent website. Or they can even implement the Helios software themselves and verify it that way. Helios has yet to be used in a binding election for public office. In fact their, the creators of Helios say, that it's nowhere near being ready to be used in real public elections. But it has been used in some large scale private elections, including the election for the presidency of the International Association for Cryptographic Research. Helios raises some difficult questions. Is internet voting using an end to end verifiable system something we can make secure? There are a number of attacks that you can imagine would be possible. Including attacks on the user's client system. Malware on the client could interfere both with vote casting and with vote verification. So, unless users verify their vote on a separate uninfected device the malware could change the vote without being detected. Because of questions like this it's difficult to be sure whether E2E voting will ever be something strong enough to provide actually secure internet voting we can rely on. But it's likely that if internet voting is ever something we can secure, some technology like this will be a part of it.
