1 / 34

Information-Flow Analysis of Elections

Information-Flow Analysis of Elections. Ben Hosp Poorvi Vora The George Washington University VSRW2006 June 8, 2006. Overview. We present a system of metrics for various functions of election systems. The system is based on a model of an election as a communications channel.

abie
Download Presentation

Information-Flow Analysis of Elections

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information-Flow Analysis of Elections Ben Hosp Poorvi Vora The George Washington University VSRW2006 June 8, 2006

  2. Overview • We present a system of metrics for various functions of election systems. • The system is based on a model of an election as a communications channel. • Based on information flow. • The metrics are based on the concept of information-theoretic entropy. • A measurement of the uncertainty in the value of a random variable.

  3. Election Goals • Integrity • Capacity of the election system to communicate information about the “actual” vote totals. • Privacy • Resistance of the election system to providing information about individual votes. • Verifiability • Proof that the full capacity was used.

  4. Voting Is A Channel Voters Results

  5. Channels Have Noise Voters Results Noise

  6. Voting Involves At Least Two Sources of Noise Votes Voters Results Poor Ballot Usability Privacy

  7. Two Sources of Noise = Two Channels Votes Voters Election Output Is Itself A Valuable Election Property Should Always Be Minimized Privacy Poor Ballot Usability More… Counted As Cast Cast As Intended

  8. Our Model Voters Counted As Cast Channel Election Output Votes

  9. Integrity Election Output Voters • Perfect Integrity means that the Vote Count is correct. • No uncertainty remains in the “actual” vote tally once the output Vote Count is known. Vote Count Votes SV

  10. Integrity Election Output Voters • Here, N represents the “honest” mistakes the channel can make. • The Integrity of the voting system, then, is the rarity of such honest mistakes. Vote Count Votes SV + N

  11. Privacy Election Output Voters • The “votes” are not actually public knowledge. • But an attacker may be able to guess some of the votes’ information. (Votes) Vote Count Votes SV + N

  12. Privacy Election Output Voters • Maximal Privacy means that the only information about the Votes that is revealed is the Vote Count. V+ M (Votes) Vote Count Votes SV + N

  13. Privacy Election Output Voters • The Privacy Loss of the voting system is the information about the actual Votes (not SV) that is contained in the results. V+ M (Votes) Vote Count Votes SV + N

  14. Recall Election Output Voters • N represents “honest” mistakes in the Vote Count. • “Honest” mistakes are mistakes that the election system accepts and declares. V+ M (Votes) Vote Count Votes SV + N

  15. Verifiability Election Output Proof Voters • Verifiability requires that there is no additional source of errors in the Vote Count outside of N. • This is our assurance that the system that had its Integrity measured was actually used on Election Day. V+ M (Votes) Vote Count Votes SV + N

  16. Verifiability Election Output Proof Voters • Perfect Verifiability would leave no doubt that there were no undeclared errors. • This would require revealing much more information about the Votes than SV. • (Information-theoretic information, not necessarily computational information.) V+ M (Votes) Vote Count Votes SV + N

  17. Verifiability Election Output Proof Voters • The Verifiability metric is the reduction in our uncertainty whether any errors were honest. • This implies revealing some information about the Votes (more than SV). V+ M (Votes) Vote Count Votes SV + N

  18. Unfair (Discriminatory) Elections • Different voters may be treated differently by an election system. • Blind voters may fill out a different ballot than other voters. • Or fill it out with a different method. • In our model, this means that the two groups of voters are using two different channels. • Hence two different election systems, which should be rated separately. • If such discrimination is done covertly, it would be addressed by Verifiability.

  19. Example: Senate Election Vote to Voter link announced. Votes can be counted by anyone. • Integrity: Perfect • Privacy: Zero if everyone whose vote is incorrect corrects the vote • Verifiability: Perfect, unless some don’t correct an incorrect vote

  20. Example: Fraudulent Election Votes thrown in river, Alice declared winner • Integrity: Zero • Privacy: Perfect. Vote count independent of votes • Verifiability: Perfect because Alice is declared winner, and this can be checked

  21. Example: Fraudulent Senate Election Vote to Voter link announced. Votes can be counted by anyone. But populace unlikely to correct wrong votes because they fear dictator • Integrity: Perfect • Privacy: Non-Zero if some whose vote is incorrect do not correct the vote • Verifiability: Not perfect, because at least some don’t correct an incorrect vote

  22. Example: Hand Count, Paper Ballots Counted N times; average count is final count • Integrity: not perfect, decreases with N • Privacy: depends on shuffle of the stored votes • Verifiability: depends on ballot security • Stored securely? • Are ballot boxes stuffed? • Because no individual can be present to view each ballot box, and check each count, verifiability is imperfect

  23. ExamplePrecinct-Level Hand Counts Vote counts announced at precinct level • Integrity: Same as previous • Privacy: Lower than previous because a single voter hides in a crowd of fewer voters • Verifiability: Higher than previous because easier for individual voter to watch the ballot box and attend the count.

  24. Example: Opaque Ballot Box Paper Ballots, deposited by voters into an opaque ballot box, later counted by hand in public. • Integrity: Same as other hand-counted methods. • Possibly slightly better because the count is public.. • Privacy: Perfect. • Verifiability: None • How do you know there isn’t some shenanigans in the box?

  25. Example: Transparent Ballot Box Paper Ballots, deposited by voters into a transparent ballot box, later counted by hand in public. • Integrity: Same as previous example. • Privacy: Worse than before. • It is possibly to track a specific ballot if you pay close enough attention. • Verifiability: Much better than previous example. • You can keep an eye on the ballots to ensure there is no trickery.

  26. Example: Randomized Partial Audits in Cryptographic Schemes MIX 1 MIX 2 Verifiability vs. Privacy Trade-off

  27. Example: Randomized Partial Audits

  28. Example: Randomized Partial Audits

  29. Conclusions • There is a tradeoff between Integrity and Privacy. • If we count the votes, then we can at best provide Maximal Privacy. • There is also a tradeoff between Verifiability and Privacy. • In order to verify the count, we must give out some additional information about the individual ballots.

  30. END More Technical Talk to Follow After Lunch Integrity Breakout Session

  31. Integrity Election Output Voters • Information communicated about the real vote tally by the vote count by the election system’s algorithm if followed honestly and correctly. • Information is measured using “entropy.” Counted As Cast Channel Vote Count Votes

  32. Some Competing Goals for “Counted As Cast” Channel • Integrity • Information communicated about the real vote tally to the results by the election system’s algorithm if followed honestly and correctly. • Information is measured using “entropy” • Privacy • Noise that obscures the connection between an individual voter and the contents of her ballot. • Verifiability • Proof that the election system’s algorithm was followed honestly and correctly.

  33. Information-Theoretic Concepts • Entropy of (uncertainty in) random variable X with probability function pX(x): • Uncertainty in X when Y is known: • Mutual (shared) Information between X&Y:

  34. Information-Theoretic Metrics • Integrity: • Privacy Loss: • Verifiability:

More Related