Systems that let voters verify their ballots could be easily manipulated, a pair of researchers say, and they propose a simple fix using hashing technology.
A variety of electronic and paper-based voting systems have been developed that enable voters to verify that their ballots have been properly counted, but these protections could be easily circumvented by malicious insiders using a simple technique that two researchers call a “trash attack.”
The trash attack is primarily social, not technical, said the researchers, cryptologist Josh Benaloh of Microsoft Research and voting integrity researcher Eric Lazarus, president of the DecisionSmith consulting firm. “It is simple and practical, and it can be used to undetectably alter large numbers of votes,” they wrote in a paper published by Microsoft.
The key to the attack is to identify persons not likely to verify their votes, which would allow an insider to change that vote without fear of being caught. Benaloh and Lazarus also proposed a mitigation using hashing algorithms to mathematically link a number of ballots, making it difficult if not impossible to change one without making obvious changes to others.
“This mitigation makes the attack far more difficult and makes it nearly impossible to alter more than a small number of votes,” they wrote.
Verifiable election systems work by generating a voter receipt containing a key that can be used to check a published list of encrypted votes to ensure that the vote had not been altered before being counted.
Verifiable systems don’t prevent vote changing, but make it possible for voter to spot changes, which is a deterrent to inside manipulation. The idea is at least 30 years old and been developed to address the lack of security in most voting systems, both electronic and paper based, and the need to trust election officials that ballots are handled properly.
Benaloh, speaking at a Washington conference on the Uniformed and Overseas Citizens Absentee Voting Act in February, called the state of voting system security “really dreadful.”
“The fully electronic systems are so bad, not only because elections could potentially be stolen or lost, but because we couldn’t tell,” he said.
Although voter verification schemes have been around for decades they still have not been widely adopted. One of the first uses of the technology in a real election was in the 2009 municipal elections in the Washington, D.C., suburb of Takoma Park, Md.
Although most voters receiving a verification receipt probably would not check their votes in the final published tally, “as long as some voters check, we’re good,” Benaloh said. A malicious insider could not change any given vote without fear of being caught.
But Benaloh and Lazarus recognized that if an insider had any indication of which voters would not check their votes, those votes could safely be changed. This could be done in a number of ways, including recovering discarded receipts from a trashcan, hence the name “trash attack.”
The solution they offer is to identify each receipt with a hash function that also incorporates information from the previous receipt, creating what is called a running hash. This would make it impossible to change the contents of one ballot without changing the hash function not only of that ballot’s receipt, but of all subsequent receipts as well. If the hash function is used to match the receipt with the vote cast, this would mean that none of the holders of those receipts would be able to verify their tallied votes, making it much more likely that the changes would be discovered.
“The idea of a running hash is certainly not new,” the researchers wrote. “Hash chains are a common cryptographic tool and are found in many protocols. A running hash is not new to the election context either. However, computing a running hash of actual voter receipts and incorporating this hash within each subsequently issued receipt appears to be a novel approach.”
“This mitigation is very simple to incorporate into many verifiable election systems, but the effect can be profound,” they concluded.
NEXT STORY: China denies it hacked 2 US satellites