TheOfficialACM

Risk-limiting audits (the topic of this thread) are all about how to improve security with paper ballots. So a reasonable question for someplace that has paper ballots is "when are you going to do RLAs?"

Without paper ballots, we're back in the world of paperless electronic voting systems, which have been shown to have a variety of security vulnerabilities (discussed elsewhere in this Reddit). So a reasonable question for someplace that has paperless electronic voting systems is "when are you going to retire these machines and what's the plan to replace them?"

I'm not aware of any systematic voting machine election interference, at least in any U.S. election in anything resembling the modern era. If you go back far enough in time, you get plenty of well-documented messy elections. The story of "Landslide" Lyndon Johnson's victory in the 1948 Texas Senate Race is pretty amazing.

It's exceptionally difficult (read: expensive, time consuming) to do a forensic audit of the sort you're describing, and the adversary has an advantage in this game, because they could potentially engineer their malware to erase itself after the election is over.

The goal of RLAs and other kinds of election auditing procedures is to achieve a property called software independence, such that we can gain confidence in the correct outcomes of an election without requiring any confidence that the software is correct.

A Reddit AMA is the wrong place to get into the finer points of blockchains, cryptocurrency, and/or public bulletin boards.

Suffice to say that one of the core features of most blockchains is consensus, while one of the core features of a public bulletin board is maintaining evidence. Those are emphatically not the same thing, even though many of the same cryptographic techniques (zero knowledge proofs, hash data structures, etc.) are used in both settings.

The trick with these fancy e2e-verifiable schemes is that they're very good at providing the voter with evidence that everything worked perfectly, but if something goes wrong, and there are a lot of ways for things to go wrong, it's not necessarily easy to pinpoint the problem.

ElectionGuard happens to be open source, but that's not a requirement for security. In fact, the magic of e2e-verifiable schemes is that they create a much more interesting property called software independence, which means that we can verify a correct election outcome without being required to trust any of the software used by the election officials.

Risk limiting audits, by the way, are also a method of achieving software independence, without any cryptography at all.

Here's a more concise way to put it: I would prefer if we did not have trade secrets in elections. Let the vendors copyright and/or patent their stuff, but the source code should be open to public inspection. This isn't about security, per se, as much as it's about transparency. If you want to get nerdier about it, it's also about publicly verifiable reproducible builds, which has ramifications for security and transparency.