ThreeBallot

From Wikipedia, the free encyclopedia
Jump to: navigation, search
A sample ThreeBallot multi-ballot, with a first race for President with candidates Jones, Smith, and Wu and a second race for Senator with candidates Yip and Zinn.

ThreeBallot is a voting protocol invented by Ron Rivest. ThreeBallot is an end-to-end (E2E) auditable voting system that can in principle be implemented on paper. The goal in its design was to provide some of the benefits of a cryptographic voting system without using cryptography.

It may be difficult for a vote to be both verifiable and anonymous. ThreeBallot attempts to solve this problem by giving each voter three ballots: one verifiable, and two anonymous. The voter chooses which ballot is verifiable and keeps this secret; since the vote-counter does not know, there is a 1/3 chance of being discovered destroying or altering any single ballot. The voter is forced to make two of his three ballots cancel each other out, so that he can only vote once.

Goals[edit]

This theoretical system's goals include:

  1. Each voter's vote is secret, preventing vote-selling and coercion.
  2. Each voter can verify that his vote was not discarded, and was correctly used and not altered, in the computation of the election result. (And if not, the voter is in a position to prove the vote counters cheated.)
  3. Everybody can verify the election result was computed correctly.
  4. Everybody can verify that extra fake "voters" were not added, and the full list of voters is publicly known.
  5. The method is designed for use with paper ballots and requires primarily low-tech devices, but is compatible with more advanced technologies.

Method[edit]

[examples needed]

In the ThreeBallot Voting System voters are given three blank ballots, identical except for a unique identifier. To vote for a candidate the voter must select that candidate on two of the three ballots. To vote against a candidate (the equivalent of leaving a ballot blank in other systems) the voter must select that candidate on exactly one ballot. No candidate can be left blank in the ThreeBallot Voting System, and no candidate can be selected on all three ballots — this must be enforced by a trusted authority, which might be some mechanical apparatus, to prevent multiple-vote fraud. Because a for vote cannot necessarily be distinguished from an against vote once cast, multiple-vote fraud would facilitate vote-swapping and would not necessarily be detected in the tally-verification.

At the polling station, the voter makes a copy of any one of his three ballots. Then, all three original ballots are dropped into the ballot box. The voter keeps the one copy as a receipt.

At the end of the election, all ballots are published. Each ballot has a unique identifier. Each voter may verify that his votes were counted by searching for the identifier on his receipt amongst the published ballots. However, because the voter selects which of his ballots he receives as a receipt, he can arrange for his receipt to bear any combination of markings. Thus voters cannot prove to another party who they voted for, eliminating vote-selling, coercion, etc. . Rivest discusses other benefits and flaws in his paper.[1] .

A field test has found ThreeBallot to have significant privacy, security and usability problems.[2][3] However, an electronic version addressing such problems was proposed by Costa, et al.[4]

See also[edit]

References[edit]

  1. ^ Ronald L. Rivest (2006). "The ThreeBallot Voting System" (PDF). Retrieved 2007-01-16. 
  2. ^ Jones, Harvey; Jason Juang, and Greg Belote (2006). "Three Ballot in the Field" 6.857 class project, MIT. Reported in "ThreeBallot" tested by MIT students, December 2006.
  3. ^ Henry, K.; Stinson, D.R.; Sui, J. (2009). "The effectiveness of receipt-based attacks on threeballot". doi:10.1109/TIFS.2009.2031914.  Check date values in: |accessdate= (help);
  4. ^ Costa, R.G.; Santin, A.O.; Maziero, C.A. (2008). "A Three Ballot Based Secure Electronic Voting System". doi:10.1109/msp.2008.56.