Aleksander Essex

Scantegrity: End-to-End Voter-Verifiable Optical- Scan Voting

Scantegrity is a security enhancement for optical scan voting systems. Its part of an emerging class of end-to-end independent election verification systems that permit each voter to verify that his or her ballot was correctly recorded and counted. On the Scantegrity ballot, each candidate position is paired with a random letter. Election officials confirm receipt of the ballot by posting the letter that is adjacent to the marked position. Scantegrity is the first voting system to offer strong independent verification without changing the way voters mark optical scan ballots, and it complies with legislative proposals requiring unencrypted paper audit records.

Scantegrity II: End-to-End Verifiability by Voters of Optical Scan Elections Through Confirmation Codes

Scantegrity II is an enhancement for existing paper ballot systems. It allows voters to verify election integrity - from their selections on the ballot all the way to the final tally - by noting codes and checking for them online. Voters mark Scantegrity II ballots just as with conventional optical scan, but using a special ballot marking pen. Marking a selection with this pen makes legible an otherwise invisible preprinted confirmation code. Confirmation codes are independent and random for each potential selection on each ballot. To verify that their individual votes are recorded correctly, voters can look up their ballot serial numbers online and verify that their confirmation codes are posted correctly. The confirmation codes do not allow voters to prove how they voted. However, the confirmation codes constitute convincing evidence of error or malfeasance in the event that incorrect codes are posted online. Correctness of the final tally with respect to the published codes is proven by election officials in a manner that can be verified by any interested party. Thus, compromise of either ballot chain of custody or the software systems cannot undetectably affect election integrity. Scantegrity II has been implemented and tested in small elections in which ballots were scanned either at the polling place or centrally. Preparations for its use in a public sector election have commenced.

CommitCoin: Carbon Dating Commitments with Bitcoin

In the standard definition of a commitment scheme, the sender commits to a message and immediately sends the commitment to the recipient interested in it. However the sender may not always know at the time of commitment who will become interested in it. Further, when the interested party does emerge, it could be critical to establish when the commitment was made. Employing a proof of work protocol at commitment time will later allow anyone to “carbon date” when the commitment was made, approximately, without trusting any external parties. We present CommitCoin, an instantiation of this approach that harnesses the existing computational power of the Bitcoin peer-to-peer network; a network used to mint and trade digital cash.

A Protocol for the Secure Linking of Registries for HPV Surveillance

Introduction In order to monitor the effectiveness of HPV vaccination in Canada the linkage of multiple data registries may be required. These registries may not always be managed by the same organization and, furthermore, privacy legislation or practices may restrict any data linkages of records that can actually be done among registries. The objective of this study was to develop a secure protocol for linking data from different registries and to allow on-going monitoring of HPV vaccine effectiveness. Methods A secure linking protocol, using commutative hash functions and secure multi-party computation techniques was developed. This protocol allows for the exact matching of records among registries and the computation of statistics on the linked data while meeting five practical requirements to ensure patient confidentiality and privacy. The statistics considered were: odds ratio and its confidence interval, chi-square test, and relative risk and its confidence interval. Additional statistics on contingency tables, such as other measures of association, can be added using the same principles presented. The computation time performance of this protocol was evaluated. Results The protocol has acceptable computation time and scales linearly with the size of the data set and the size of the contingency table. The worse case computation time for up to 100,000 patients returned by each query and a 16 cell contingency table is less than 4 hours for basic statistics, and the best case is under 3 hours. Discussion A computationally practical protocol for the secure linking of data from multiple registries has been demonstrated in the context of HPV vaccine initiative impact assessment. The basic protocol can be generalized to the surveillance of other conditions, diseases, or vaccination programs.

Securing optical-scan voting

This paper presents a method for adding end-to-end verifiability to any optical-scan vote counting system. A serial number and set of letters, paired with every candidate, are printed on each optical-scan ballot. The letter printed next to the candidate(s) chosen by the voter is posted to a bulletin board, and these letters are used as input to Punchscans verifiable tallying method. The letters do not reveal which candidate was chosen by the voter. The method can be used as an independent verification mechanism that provides assurance that each vote is included in the final tally unmodified—a property not guaranteed by a manual recount. We also provide a proof-of-concept process that allows the election authority to settle disputes after the polls close while preserving ballot secrecy.

Aperio: high integrity elections for developing countries

This article presents an ‘end-to-end integrity verification mechanism for use in minimally equipped secret paper-ballot election environments. The scheme presented in this paper achieves high integrity properties without interfering with the traditional marking and tabulation procedures of paper-ballot elections. Officials and auditors can respectively generate and independently verify ‘end-to-end audit trails, with office stationery and entirely without cryptographic or mathematic computations.

Single layer optical-scan voting with fully distributed trust

We present a new approach for cryptographic end-to-end verifiable optical-scan voting. Ours is the first that does not rely on a single point of trust to protect ballot secrecy while simultaneously offering a conventional single layer ballot form and unencrypted paper trail. We present two systems following this approach. The first system uses ballots with randomized confirmation codes and a physical in-person dispute resolution procedure. The second system improves upon the first by offering an informational dispute resolution procedure and a public paper audit trail through the use of self-blanking invisible ink confirmation codes. We then present a security analysis of the improved system.

Corrections to “Scantegrity II: End-to-End Verifiability by Voters of Optical Scan Elections Through Confirmation Codes” [Dec 09 611-627]

Scantegrity II is an enhancement for existing paper ballot systems. It allows voters to verify election integrity - from their selections on the ballot all the way to the final tally - by noting codes and checking for them online. Voters mark Scantegrity II ballots just as with conventional optical scan, but using a special ballot marking pen. Marking a selection with this pen makes legible an otherwise invisible preprinted confirmation code. Confirmation codes are independent and random for each potential selection on each ballot. To verify that their individual votes are recorded correctly, voters can look up their ballot serial numbers online and verify that their confirmation codes are posted correctly. The confirmation codes do not allow voters to prove how they voted. However, the confirmation codes constitute convincing evidence of error or malfeasance in the event that incorrect codes are posted online. Correctness of the final tally with respect to the published codes is proven by election officials in a manner that can be verified by any interested party. Thus, compromise of either ballot chain of custody or the software systems cannot undetectably affect election integrity. Scantegrity II has been implemented and tested in small elections in which ballots were scanned either at the polling place or centrally. Preparations for its use in a public sector election have commenced.

Oblivious Printing of Secret Messages in a Multi-party Setting

We propose oblivious printing, a novel approach to document printing in which a set of printers can cooperate to print a secret message—in human or machine readable form—without learning the message. We present multi-party protocols for obliviously printing a secret in three settings: obliviously printing the contents of a ciphertext, obliviously printing a randomized message, and generating and obliviously printing a DSA/Elgamal keypair. We propose an approach to improving the legibility of messages in the presence of numerous participants. Finally we propose some potential applications of oblivious printing in the context of electronic voting and digital cash.