STAR-Vote: A Secure, Transparent, Auditable and Reliable Voting Sys- tem

doi:10.1201/9781315371290-23

Chapter

STAR-Vote: A Secure, Transparent, Auditable and Reliable Voting Sys- tem

ABSTRACT

CONTENTS 14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 14.2 Voter Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 14.3 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

14.3.1 Crypto Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 14.3.2 Triple Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 14.3.3 Software and Hardware Engineering . . . . . . . . . . . . . . . . . . . . . . . 385

14.4 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 14.4.1 Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 14.4.2 User Interface Design Specification . . . . . . . . . . . . . . . . . . . . . . . . 389 14.4.3 Issues That Still Need to Be Addressed . . . . . . . . . . . . . . . . . . . . . 390

14.5 Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 14.6 The Cryptographic Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 14.7 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

14.7.1 Coercion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 14.7.1.1 Chain Voting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 14.7.1.2 Absentee and Provisional Ballots . . . . . . . . . . . . . . . 400

14.7.2 Further Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

. . . . . . . . . . . . . . . . . Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

(An earlier version of this chapter, with the same authors and title, was published in the USENIX Journal of Election Technologies and Systems (JETS), volume 1, number 1, August 2013.)

14.1 Introduction A decade ago, DRE voting systems promised to improve many aspects of voting. By having a computer mediating the user’s voting experience, they could ostensibly improve usability through summary screens and a variety of accessibility features including enlarged text, audio output, and specialized input devices. They also promised to improve the life of the election administrator, yielding quick, accurate tallies without any of the ambiguities that come along with hand-marked paper ballots. And, of course, they were promised to be secure and reliable, tested and certified. In practice, DRE systems had problems in all these areas.