Unformatted text preview:

ThreeBallot AnalysisGreg Belote, Harvey Jones, Jason JuangOutline●ThreeBallot Background●Usability Tests●In-Class TestThreeBallot●Proposed in 2006 by Ron Rivest●Design Criteria–Match security properties of cryptographic systems–Publicly-verifiable–Simple–ScalableSample MultiballotCriticisms of ThreeBallot●Complexity–Non-intuitive rules–High time demands on voters and on poll workers●Privacy–Charlie Strauss' ballot reconstruction●SecurityQuestions●How robust is it against attacks on privacy, and on the election results?●How usable is the system as designed?●Could computers make it better?●Would people trust this system?Usability Tests●Implemented a computer-based ThreeBallot Machine●Assigned half of the voters to computer, half to paper (88 ballots cast)●Surveyed voters about their understanding of the systemUsability Results●Voters were initially intimidated●Voters required assistance●Voters were angry when overvotes required that the ballot be redone●Some questioned need for such a complex systemUsability Results●Voters were more comfortable voting by computer●16 of 51 paper ballots were initially rejected–12 got it right the second time–1 got frustrated and left●1 of 36 computer voters misclicked and had to try againPost-vote Survey Results●50% would use it in a federal election●70% believed ThreeBallot is secret and secure●58 of 64 correctly identified a valid ballot●59 of 64 correctly labeled an overvoted ballot as invalid●19 of 49 at EC correctly labeled a legal abstention as validIn-Class Mock Election●Held in class on Monday, December 4●Offered incentives–Selling a vote–Creating a fraudulent bulletin board–Discrediting a fraudulent bulletin boardIn-Class Results●Vote selling–4 out of 18 succeeded●Scanner malfunction–One negative vote for “other”●Election throwing–One adversary was able to change winners of all races.The Yoyoverse●Gather all the receipt numbers you can●Reconstruct triples that have to be connected–6 of 18 were reconstructed●Match ID numbers to known receipts●Profit!Reconstruction Results●Stata: 25 of 29 reconstructed–19-bit ballots●EC: 0 of 58 reconstructed–14-bit ballotsConclusion●Initial intimidation, but most get it after a few minutes of explanation–Special cases still confusing–About a third of voters got the first ballot wrong–Computers help, but with security tradeoff●Reconstruction attacks are bad for privacy and for security●Pre-printed IDs are easy to memorize–Complex IDs hurt transparency–Long IDs don't


View Full Document

MIT 6 857 - Three Ballot Analysis

Documents in this Course
Load more
Download Three Ballot Analysis
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Three Ballot Analysis and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Three Ballot Analysis 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?