Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MERGE: Matching Electronic Results with Genuine Evidence for verifiable voting in person at remote locations

Ben Adida, John Caron, Arash Mirzaei, Vanessa Teague

TL;DR

MERGE addresses the challenge of overseas voting by combining rapid electronic ballot delivery with verifiable paper returns, enabling preliminary results from the electronic record while preserving auditability through a Risk Limiting Audit (RLA) that uses paper ballots. The protocol relies on a two-path flow (digital and paper), anchored by a public bulletin board and CAC-authenticated signatures, with ElectionGuard-based encryption, mixnets, and NIZK proofs to ensure verifiability and privacy within a controlled security model. A formal, game-based security analysis demonstrates that MERGE does not increase the probability of accepting a wrong outcome relative to standard RLAs, and a prototype shows practical performance with parallelizable cryptographic operations and mixnet proofs. Overall, MERGE offers a scalable, verifiable, and privacy-conscious approach to modernizing remote voting while maintaining strong auditability and coercion resistance, albeit with privacy tied to the integrity of the paper trail and human-verification processes.

Abstract

Overseas military personnel often face significant challenges in participating in elections due to the slow pace of traditional mail systems, which can result in ballots missing crucial deadlines. While internet-based voting offers a faster alternative, it introduces serious risks to the integrity and privacy of the voting process. We introduce the MERGE protocol to address these issues by combining the speed of electronic ballot delivery with the reliability of paper returns. This protocol allows voters to submit an electronic record of their vote quickly while simultaneously mailing a paper ballot for verification. The electronic record can be used for preliminary results, but the paper ballot is used in a Risk Limiting Audit (RLA) if received in time, ensuring the integrity of the election. This approach extends the time window for ballot arrival without undermining the security and accuracy of the vote count.

MERGE: Matching Electronic Results with Genuine Evidence for verifiable voting in person at remote locations

TL;DR

MERGE addresses the challenge of overseas voting by combining rapid electronic ballot delivery with verifiable paper returns, enabling preliminary results from the electronic record while preserving auditability through a Risk Limiting Audit (RLA) that uses paper ballots. The protocol relies on a two-path flow (digital and paper), anchored by a public bulletin board and CAC-authenticated signatures, with ElectionGuard-based encryption, mixnets, and NIZK proofs to ensure verifiability and privacy within a controlled security model. A formal, game-based security analysis demonstrates that MERGE does not increase the probability of accepting a wrong outcome relative to standard RLAs, and a prototype shows practical performance with parallelizable cryptographic operations and mixnet proofs. Overall, MERGE offers a scalable, verifiable, and privacy-conscious approach to modernizing remote voting while maintaining strong auditability and coercion resistance, albeit with privacy tied to the integrity of the paper trail and human-verification processes.

Abstract

Overseas military personnel often face significant challenges in participating in elections due to the slow pace of traditional mail systems, which can result in ballots missing crucial deadlines. While internet-based voting offers a faster alternative, it introduces serious risks to the integrity and privacy of the voting process. We introduce the MERGE protocol to address these issues by combining the speed of electronic ballot delivery with the reliability of paper returns. This protocol allows voters to submit an electronic record of their vote quickly while simultaneously mailing a paper ballot for verification. The electronic record can be used for preliminary results, but the paper ballot is used in a Risk Limiting Audit (RLA) if received in time, ensuring the integrity of the election. This approach extends the time window for ballot arrival without undermining the security and accuracy of the vote count.

Paper Structure

This paper contains 76 sections, 10 theorems, 10 equations, 6 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Authentication using CAC cards
  3. MERGE within the voting ecosystem
  4. Security properties and contributions
  5. Related work
  6. Technical Background and Notation
  7. Cryptographic components
  8. ElectionGuard
  9. Non-interactive zero-knowledge (NIZK) proofs
  10. Private decryption
  11. Mixnet
  12. Digital signature
  13. Hash function
  14. Serial Number
  15. Risk Limiting Audit
  16. ...and 61 more sections

Key Result

Corollary 1

Assuming all verification steps (outlined in Appendix subsec:verification) are successfully completed, for any adversary $\mathcal{A}$ who wins the Real World Game, there exists an adversary $\mathcal{A}'$ who wins the Ideal World Game.

Figures (6)

  • Figure 1: Overview of MERGE in the voting ecosystem.
  • Figure 2: The voting process.
  • Figure 3: The whole process for MERGE based on ballot comparison. Each Local Counting Center's votes are dealt with separately---the diagram shows the process for only one Local Counting Center.
  • Figure 4: Building ballots in Intermediate World 3 based on those in Intermediate World 4.
  • Figure 5: Building ballots in Intermediate World 2 based on those in Intermediate World 3.
  • ...and 1 more figures

Theorems & Definitions (30)

  • Remark 1
  • Definition 1
  • Remark 2
  • Definition 2
  • Remark 3
  • Corollary 1
  • proof
  • Definition 3
  • Proposition 1
  • Remark 5
  • ...and 20 more