Ron Rivest sent along a link to a paper that MIT students Harvey Jones, Jason Juang and Greg Belote produced for their term project for Ron’s class on “Computer and Network Security.” The paper, “ThreeBallot in the Field”, describes some testing these students conducted of the “ThreeBallot” system (here’s a link to Ron’s paper on “ThreeBallot”). Here’s the paper abstract:
Voting systems have been the sub ject of much recent controversy. Due to the difficulty of securing and auditing electronic voting systems, a variety of different paper-based cryptographic voting schemes have emerged. Ronald Rivest has proposed a purely paper-based system called ThreeBallot, which strives to achieve the same level of security as cryptographic systems without using cryptography. Although ThreeBallot has been sub ject to academic criticism, it has not been tested in the field. This paper describes a paper-based and a computer-aided implementation of ThreeBallot. Any successful voting system must be usable, must be secure, and must preserve the secret ballot. To test usability, we held mock elections and observed voters. To test security and privacy, we executed attacks against these mock elections.
In one mock election, 20% of voters successfully sold their vote. One student, when given control of tallying the votes, was able to throw the entire election. In our usability studies we confirmed voter difficulty in using ThreeBallot. We found that about 10% of voters didn’t understand ThreeBallot well enough to check another’s ballot, and in one mock election more than 30% of voters failed to cast a valid ballot on their first try.
I asked Ron about his reaction to this research, and this is what he sent along:
“Yes, the students did an excellent job with this study. The usability results are very interesting, although not so surprising—ThreeBallot was understood from the beginning to be weak on usability. The security aspects of their study are also fascinating, reflecting as they do in the real world the theoretical vulnerabilities discussed in the original paper. The next iteration of ThreeBallot (paper forthcoming, to be co-authored with Warren Smith) should show substantial improvements in both usability and security, compared to the original proposal (stay tuned…). In any case, however, ThreeBallot represents a major qualitative step forward, achieving end-to-end auditability without the use of cryptography…”
Good work by these students! This is great evidence about how the folks like Ron are training the next generation of voting technologists! I for one will stay tuned for the next iteration of “ThreeBallot” — and will certainly pass along the next iteration when it is available.