|
End-to-end auditable or end-to-end voter verifiable (E2E) systems are voting systems with stringent integrity properties and strong tamper resistance. E2E systems often employ cryptographic methods to craft receipts that allow voters to verify that their votes were not modified, without revealing which candidates were voted for. As such, these systems are sometimes referred to as receipt-based systems. ==Overview== Electronic voting systems arrive at their final vote totals by a series of steps: # each voter has an original intent, # voters express their intent on physical ballots (whether transient, as on the display of a DRE voting machine, or durable, as in systems with voter verifiable paper trails), # physical ballots are represented electronically, # electronic ballot images are collected into a ballot box, # vote totals are computed from the electronic images, and # where counting is conducted locally, for example, at the precinct or county level, the tallies from each local count are aggregated to produce the final tally. Classical approaches to election integrity tended to focus on mechanisms that operated at each step on the chain from voter intent to final total. Voting is an example of a distributed system, and in general, distributed system designers have long known that such local focus may miss some vulnerabilities while over-protecting others. The alternative is to use end-to-end measures that are designed to guard the integrity of the entire chain.〔J. H. Saltzer, D. P. Reed and D. D Clark, End-to-End Arguments in System Design, (ACM Trans. on Computer Systems (TOCS) ), Vol 2, No. 4, Nov. 1984, pages 277-288〕 The failure of current optical scan voting systems to meet reasonable end-to-end standards was pointed out in 2002.〔Douglas W. Jones, End-to-End Standards for Accuracy in Paper-Based Systems, (Workshop on Election Standards and Technology ) ((alternate source )), Jan 31, 2002, Washington DC.〕 End-to-end coverage of election integrity frequently involves multiple stages. Voters are expected to verify that they have marked their ballots as intended, we use recounts or audits to protect the step from marked ballots to ballot-box totals, and we use publication of all subtotals to allow public verification that the overall totals correctly sum the local totals.〔Douglas W. Jones, Perspectives on Electronic Voting, (From Power Outages to Paper Trails ) ((alternate source )), IFES, Washington DC, 2007; pages 32-46, see particularly Figure 4, page 39.〕 While measures such as voter verified paper audit trails and manual recounts increase the end-to-end coverage of our defenses, they offer only weak protection of the integrity of the physical or electronic ballot boxes. Ballots could be removed, replaced, or could have marks added to them (''i.e.,''to fill in undervoted contests with votes for a desired candidate or to overvote and spoil votes for undesired candidates). This shortcoming motivated the development of the end-to-end auditable voting systems discussed here, sometimes referred to as ''E2E voting systems''. These attempt to cover the entire path from voter attempt to election totals with just two measures: * Voter auditing, by which any voter may check that his or her ballot is correctly included in the electronic ballot box, and * Universal verifiability, by which anyone may determine that all of the ballots in the box have been correctly counted. Because of the importance of the right to a secret ballot, all of the interesting E2E voting schemes also attempt to meet a third requirement, usually referred to as ''receipt freeness''. *No voter can demonstrate how he or she voted to any third party. Some researchers argue that end-to-end auditability and receipt-freeness should be considered to be orthogonal properties.〔Douglas W. Jones, (Some Problems with End-to-End Voting ), position paper presented at the (End-to-End Voting Systems Workshop ), Oct. 13-14, 2009, Washington DC.〕 These two properties are combined in the 2005 Voluntary Voting System Guidelines promulgated by the Election Assistance Commission.〔(2005 Voluntary Voting System Guidelines ), Election Assistance Commission〕 This definition is also predominant in the academic literature.〔Jeremy Clark, Aleks Essex, and Carlisle Adams. (On the Security of Ballot Receipts in E2E Voting Systems ). IAVoSS Workshop on Trustworthy Elections 2007.〕〔Aleks Essex, Jeremy Clark, Richard T. Carback III, and Stefan Popoveniuc. (Punchscan in Practice: An E2E Election Case Study ). IAVoSS Workshop on Trustworthy Elections 2007.〕〔Olivier de Marneffe, Olivier Pereira and Jean-Jacques Quisquater. (Simulation-Based Analysis of E2E Voting Systems ). E-Voting and Identity 2007.〕〔Ka-Ping Yee. (Building Reliable Voting Machine Software ). Ph.D. Dissertation, UC Berkley, 2007.〕 Note that assertions regarding ballot stuffing are not inherently addressed by the definition of E2E, although they can be externally verified by comparing the number of votes cast with the number of registered voters who voted. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「End-to-end auditable voting systems」の詳細全文を読む スポンサード リンク
|