ElectionGuard SDK: End-to-End Verifiable Voting

End-to-end verifiable voting

As part of the Defending Democracy Program, through our parent company Galois, we partnered with Microsoft in 2019 to develop the first release of ElectionGuard, a software development kit (SDK) that will enable anyone to build verifiable elections technology.

Voting system developers can use ElectionGuard to make their voting systems end-to-end verifiable, allowing for individual voters to confirm their votes were counted, as well as for third parties to validate that the results of an election haven’t been tampered with.

ElectionGuard is open source and available freely to the public, including election officials and election technology vendors who wish to build end-to-end verifiability into their voting systems. The ElectionGuard project has evolved significantly over the past year or so in exciting ways.  We are no longer actively working on ElectionGuard for Microsoft, though are closely tracking the project and its use.

End-to-end verifiability (E2E-V)

E2E-V is a cryptographic technology that enables voters to vote in a normal fashion in a polling place and have evidence that the election is trustworthy. A voter votes using either optical scan technology (the voter fills out a ballot by hand) or a ballot marking device (the voter uses a touchscreen and a paper ballot record is produced). Thus, a paper ballot remains the ballot of record—as advocated by all cybersecurity professionals involved in the elections integrity community—and facilitates post-voting election audits.

E2E-V voting systems also produce a cryptographic receipt, enabling voters to prove (1) that the voting system recorded their choices correctly and (2) that their ballot is part of the final results of the election. Moreover, the E2E-V protocol permits election officials and observers to determine whether the election has been run in a trustworthy fashion without any problems; if there are any issues—ranging from procedural problems to nation-state adversaries attempting to manipulate the election—they can be detected, and their impact can be narrowed to specific attacks or systems that have been compromised, so they can be procedurally and technically mitigated.

With ElectionGuard, developers can make an existing voting system end-to-end verifiable, or build in end-to-end verifiability from scratch.

SSITH Secure Hardware Demo

A 21st Century Voting System

Part of DARPA’s SSITH program, this project aims to demonstrate high-assurance secure hardware developed in SSITH by building a supervised voting system. The system will be publicly red teamed at DEF CON 2019 and 2020 to bear evidence to the hardware security guarantees.

DARPA’s System Security Integration Through Hardware and Firmware (SSITH) program seeks to break the cycle of vulnerability exploitation by developing hardware security architectures and associated design tools to protect systems against classes of hardware vulnerabilities. The goal of the program is to develop ideas and design tools that will enable system-on-chip (SoC) designers to safeguard hardware against all known classes of hardware vulnerabilities that can be exploited through software.

This project seeks to demonstrate and assess artifacts developed as part of SSITH— primarily three secure RISC-V CPUs: a microcontroller, a desktop CPU, and a server CPU—in a complex heterogeneous system.

Voting systems were chosen because they represent a compelling example of critical infrastructure that could benefit from secure hardware. The systems we aim to build are not meant for use in actual elections; they are instead a demonstration of secure technology that aims to serve as a teaching and research vehicle.

Public availability and red teaming

To evaluate the systems’ security properties, we aim to demonstrate the voting systems publicly in 2019 and 2020 at the DEF CON Voting Village and invite white hat hackers to analyze and attempt to compromise the systems. Moreover, we aim to make the software and hardware source code publicly available so that red teaming can happen continuously between the DEF CONs and beyond.

Hackers are permitted to attack the voting systems in three ways, two of which are traditional and one of which is unconventional. Attackers can attack (1) over an Ethernet network or (2) via a serial device. But more critically, (3) they have a facilitated means by which to load untrusted binaries directly on the voting systems, effectively presuming that the enemy is inside of the system itself. SSITH secure hardware is meant to detect and defeat even this level of intrusion.

Our aim is to enable cybersecurity professionals, industrial researchers, students, and professors to test and analyze the systems, and use the demonstrators for teaching and learning about hardware design and security, secure compilation, RISC-V technologies, formal methods, and elections technologies.

The open source hardware descriptions and bitstreams will be available to run on off-the-shelf field-programmable gate arrays (FPGAs). We also aim to develop low-cost, crowd-funded FPGA development boards that run a virtual secure CPU and enable running and testing the voting system at home for individuals who don’t have access to an expensive high-end FPGA development board. In addition, open hardware allows electrical engineers to easily order or build the required boards themselves.

The voting system demonstrators we aim to build have both (1) a ballot marking device that produces a paper ballot record, whose main focus is on permitting persons with disabilities to vote independently, and (2) a optical scan voting system, which facilitates voters who wish to vote using traditional paper ballots and a pen.

At DEF CON 2019, we aim to demonstrate a smart ballot box based on SSITH secure hardware, as part of a ballot marking device-based voting system built primarily on commercial off-the-shelf hardware. At DEF CON 2020, we aim to demonstrate all components of a voting system on SSITH hardware, including both ballot marking devices and optical scan systems.

This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under Contract No. HR0011-18-C-0013. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA). Approved for Public Release, Distribution Unlimited

Risk Limiting Audits

Evidence-based post-election audits

Free & Fair has created a risk-limiting audit (RLA) system that was used statewide in Colorado beginning with the November 2017 general election. First developed in 2008, RLAs promote evidence-based confidence in election outcomes by comparing a random sampling of paper ballots to their corresponding digital versions. This was the first time anywhere in the United States that risk-limiting audits are conducted on a regular, statewide basis. Learn more about RLAs and how the new Colorado system works here.

Qubie, the poll queue monitor

Automatically measure wait times
at polling places with Qubie

Qubie is a small computer that can automatically measure how long voters wait in line to cast their ballots on election day. Qubie does this this by using public wireless signals from smartphones and wearables to measure how long voters wait in line at a polling place. Throughout the day, Qubie can build a detailed picture of waiting time, delays, and smooth stretches by time of day. The data Qubie produces is 100% anonymous and can help election officials better understand the needs of polling places by providing straightforward queue data. The data can then be used in conjunction with other information to better allocate resources and poll workers, in order to ensure election days go smoothly.

Qubie is built on open hardware and its software is open source. It is available for jurisdictions to implement themselves at no cost.

Measuring wait times

The Presidential Commission on Election Administration—formed by Executive Order 13639 in response to the long lines witnessed in the 2012 elections, and published in January 2014—has as one of its key recommendations:

Jurisdictions should develop models and tools to assist them in effectively allocating resources across polling places.

The supporting best practice cited in the report reads:

Election officials should keep track of wait times at individual polling places using simple management techniques, such as recording line length at regular intervals during Election Day and giving time-stamped cards to voters during the day to monitor turnout flow.

Qubie is a low-cost, open source solution to this problem. It lasts for years, its cost is lower than even the least expensive recommendation (that of printing out and managing stamped cards for a single election, given the cost of poll workers and materials) and it provides features unavailable in any publicly available, privacy-preserving technology:

  • detailed privacy-preserving logging of voter wait time for election administrators to analyze and optimize their polling places on Election Day and in postmortem,
  • an automatically constructed analytical model of the polling place to determine where the pinch points of its election process are, and
  • the ability to help election officials automatically publish the current wait time at all polling places on Election Day.

Qubie is distributed under a 3-clause BSD license, and is available on GitHub at https://github.com/FreeAndFair/Qubie.