To check that a ballot paper hasn’t been rigged, the voter simply scratches off the surface to reveal a number that can be combined with a number corresponding to the order of the names and a publicly available encryption key. In theory, voters could use cryptographic software at the poll to perform these operations; but in practice, trusted third-party organizations could provide a means for voters to check their ballot papers. If the codes match, the “audit” ballot is legitimate, and it should be okay to vote with the other ballot.
An S&V system should also be useful in post-vote auditing, because all of the encrypted votes could be posted online. Once voters cast their ballots, by scanning them into a machine, they keep them as a receipt. Later, they can use this paper to check that their vote has been counted, by simply looking up their vote and seeing that the encryption code matches the one on their ballot paper.
Using scratch surfaces has been proposed before, says Ryan. But with the S&V system the scratch surface serves as a way of voiding the ballot. If it has been scratched off, it ensures that an audited ballot cannot be used.
The success of such a system will depend on more than its security features, however. Ultimately, it must be easy for voters to understand. Adida accepts that their system is complicated – but he’s unapologetic: “All this complexity is not gratuitous, it is necessary to make sure that you have a secret ballot.”
Michael Shamos, who carries out voting system evaluations, and is co-director of the Institute for eCommerce at Carnegie Mellon University in Pittsburgh, PA, says he has high hopes for cryptographic voting schemes like this one. Still, he believes it will be a challenge to get them adopted. Officials will need to understand and accept them and the public need to be persuaded of the benefits. “These are all tall orders,” he says. The cryptographic techniques that underlie them are complicated and may require officials to put their faith in the claims of mathematicians. “I wonder if legislators will ever be willing to do that,” he says.
Rivest is more optimistic. Legislators are already putting their faith in computer software that they don’t understand, he says. There is an irony that using encryption to make elections more transparent could make the underlying processes seem more complex, he says. Even so, Rivest is hopeful. “There is a trend in the U.S. for legislators to move toward paper-verified auditable trails,” he says. And this trend, he believes, is a step in the right direction.