Election Security is Harder Than You Think by Matthew Bernhard A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer Science and Engineering) in the University of Michigan 2020 Doctoral Committee: Professor J. Alex Halderman, Chair Assistant Professor Nikola Banovic Research Professor Peter Honeyman Professor Walter R. Mebane, Jr. Institute Professor Ronald L. Rivest Matthew Bernhard [email protected] ORCID iD: 0000-0002-2700-8921 © Matthew Bernhard 2020 DEDICATION To Mom and Dad, who raised me to be thoughtful, compassionate, and curious. ii ACKNOWLEDGEMENTS Thanks to my parents for supporting my going to grad school even though it wasn’t always clear why. Thanks to my mom for supporting me no matter what. I regret that you’ll never get to read this. Thanks to my dad for being a shelter from the storm and a shoulder to lean on throughout the very difficult past year, and for helping me throughout life in all manner of things. Thanks to Monica, without whom the last mile would have been unfinished. Thanks to Ben VanderSloot, who has been in the trenches with me since day one, and who has taught me so much about how to engage critically in the world. Thanks to Allison McDonald, for being a best friend when I needed one most, and for helping me recalibrate my understanding and expectations of the world. Thanks to Ram Sundara Raman for comisserating and listening. Thanks to Reethika Ramesh for giving me hope that good things and good people can survive grad school. Thanks to Sai Gouravajhala, David Adrian, Zakir Durumeric, Pat Pannuto, Eric Wustrow, Drew Springall, Andrew Kwong, Kevin Loughlan, Andrew Quinn, Chris Dzombak, Deepkika Natarajan, Marina Minkin, Haizhong Zheng, Tim Trippel, Ofir Weisse, Renuka Kumar, Steve Sprecher, Connor Bolton, and so many others who made grad school what it was. Thanks to Dan Wallach, for putting me on this path to begin with. Thanks to J. Alex Halderman for taking a chance on an undergrad with a less-than-stellar GPA, and facillitating my growth into something approaching a scientist. Thanks to my committee members, who have all been incredibly supportive. iii TABLE OF CONTENTS DEDICATION ::::::::::::::::::::::::::::::::::::::: ii ACKNOWLEDGEMENTS ::::::::::::::::::::::::::::::::: iii LIST OF FIGURES :::::::::::::::::::::::::::::::::::: ix LIST OF TABLES ::::::::::::::::::::::::::::::::::::: xii ABSTRACT ::::::::::::::::::::::::::::::::::::::::: xiii CHAPTER I. Introduction .....................................1 1.1 What Makes an Election Secure? . .2 1.1.1 Why Paper Matters . .3 1.2 Voter-verified Paper . .4 1.3 Post-election Audits . .5 1.3.1 Modeling Post-election Audits . .7 1.3.2 A Manifest Improvement on an Existing RLA Technique . .7 1.4 Perfect is the enemy of good . .8 II. What Makes an Election Secure? ......................... 10 2.1 Introduction: What is the evidence? . 10 2.1.1 Why so hard? . 11 2.2 Definitions of Integrity . 12 2.2.1 Software Independence . 13 2.2.2 End-to-end verifiability . 14 2.2.3 From Verifiable to Verified . 16 2.3 The Role of Paper and Ceremonies . 17 2.3.1 Risk-Limiting Audits . 18 2.4 Privacy, Receipt Freeness, and Coercion Resistance . 20 2.4.1 Basic Confidentiality . 20 iv 2.4.2 Everlasting Privacy . 21 2.4.3 Systemic Privacy Loss . 21 2.4.4 Receipt-freeness . 22 2.4.5 Coercion Resistance . 23 2.5 Other Security Considerations . 24 2.5.1 Voter Authentication . 24 2.5.2 Availability . 25 2.5.3 Usability . 25 2.5.4 Local Regulatory Requirements . 26 2.5.5 Complex Election Methods . 26 2.6 A Look Ahead . 27 III. Why Paper Matters ................................. 28 3.1 Introduction . 28 3.2 Background . 30 3.2.1 Ballot Images . 30 3.2.2 Image Audits . 31 3.3 Attack Scenarios . 32 3.4 Methodology . 34 3.4.1 Reading the ballot . 35 3.4.2 Changing marks . 35 3.4.3 UnclearBallot . 37 3.5 Evaluation . 38 3.5.1 Testing Across Ballot Styles . 39 3.5.2 Testing with Real Voted Ballots . 41 3.6 Discussion and Mitigations . 43 3.6.1 Uses for image audits. 44 3.6.2 End-to-end (E2E) systems. 44 3.6.3 Other mitigations. 45 3.6.4 Detection. 45 3.6.5 Future work. 46 3.7 Conclusion . 47 IV. Voter-verified Paper ................................. 48 4.1 Introduction . 48 4.2 Background and Related Work . 51 4.2.1 Human-Dependent Security . 51 4.2.2 Usable Voting Systems . 53 4.2.3 Voter-Verifiable Paper and Ballot-Marking Devices . 54 4.3 Materials and Methods . 55 4.3.1 The Polling Place . 57 4.3.2 The Voting Machines . 58 4.3.3 The Ballot . 59 v 4.3.4 Participants and Recruitment . 61 4.3.5 Experiments . 62 4.4 Results . 64 4.4.1 Participant Demographics . 64 4.4.2 Verification Performance . 65 4.4.3 Correlates . 67 4.4.4 Participant Comments . 72 4.5 Security Model . 74 4.6 Discussion . 78 4.6.1 Limitations . 78 4.6.2 Discussion of Findings . 79 4.6.3 Recommendations . 80 4.7 Conclusion . 85 V. Modeling Post-election Audits ........................... 86 5.1 Introduction . 86 5.2 What is a risk-limiting audit? . 89 5.2.1 Audits in Complex Elections . 90 5.2.2 Audit Units . 91 5.2.3 A general RLA . 91 5.2.4 Mechanics of an RLA . 92 5.3 Workload Estimation . 94 5.3.1 Preliminaries . 94 5.3.2 The Workload Function . 97 5.3.3 Estimating Workload . 98 5.3.4 An example workload comparison . 100 5.4 Parallelizing the work . 100 5.5 Validating the Model . 101 5.6 Comparing RLA Techniques . 103 5.6.1 Election Size . 105 5.6.2 Batch Size . 106 5.6.3 Escalation . 107 5.7 Limitations . 108 5.7.1 Future Work . 109 5.8 Conclusion . 109 VI. A Manifest Improvement on an Existing RLA Technique ............ 110 6.1 Introduction . 110 6.2 Notation and Mathematical Background . 114 6.2.1 Multi-round Bernoulli Sampling . 114 6.2.2 Exchangeability and Conditional Simple Random Sampling . 115 6.3 Tests . 115 6.3.1 Wald’s SPRT with a Nuisance Parameter . 116 vi 6.3.2 Auditing Multiple Contests . 117 6.4 Escalation . 118 6.5 Initial Sampling Rate . 119 6.6 Implementation . 121 6.6.1 Election Night Auditing . 121 6.6.2 Vote-by-mail and Provisional Ballots . 122 6.6.3 Geometric Skipping . 122 6.6.4 Pseudorandom Number Generation . 123 6.7 Evaluation . 124 6.7.1 Empirical Data . 125 6.8 Discussion . 125 6.8.1 Previous Work . 127 6.8.2 Stratified Audits . 127 6.9 Conclusion . ..
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages194 Page
-
File Size-