1 / 35

EAC-requested VVSG Research Overview and Status

EAC-requested VVSG Research Overview and Status. June 2008 Mark Skall Chief, Software Diagnostics and Conformance Testing Division National Institute of Standards and Technology. Contents. Overview of EAC-requested research tasks NIST approach Status of each task Next steps.

bartelt
Download Presentation

EAC-requested VVSG Research Overview and Status

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EAC-requested VVSG ResearchOverview and Status June 2008 Mark Skall Chief, Software Diagnostics and Conformance Testing Division National Institute of Standards and Technology

  2. Contents Overview of EAC-requested research tasks NIST approach Status of each task Next steps

  3. Additional research EAC requested that NIST conduct VVSG-related research 6 items in response to Standards Board/Board of Advisors resolutions from Dec 2007 meetings Final results to EAC Sep 2008

  4. Overview of six items Alternatives to software independence Developing standards for ballot on demand systems Impact of the VVSG on vote by phone systems Ramifications of separately testing and certifying components plus requirements for interoperability Impact of the VVSG on early voting or vote centers Developing alternatives to goal level requirements in the VVSG

  5. The NIST role EAC, not NIST, makes decisions wrt VVSG requirements NIST research will contain options as appropriate, each with pros and cons NIST goal is to provide useful data for EAC decision making: Provide complete set of options Include any ramifications to other EAC activities, e.g., certification, testing Think outside the box and be creative

  6. 1. Alternatives to software independence Should retain focus on security, verifiability, and auditability in the VVSG Research should be conducted on what changes need to be made to the VVSG to accommodate each alternative

  7. Current analysis While various alternatives to SI exist, they all have significant cons: Increased design and development costs Need for more rigorous and expensive testing Will take at least 3 years to develop: Will require significant research Will require standardization efforts Need for funding or possible development incentives Could be major ramifications to other areas of the VVSG that will need further study, e.g., usability, accessibility

  8. Approaches under consideration Along with IVVR, conforming alternatives could include End-to-end (E2E) cryptographic approaches Independent Verification (IV) Systems – also known as IDV Secure Audit Port requirements Also, remove SI restriction from Innovation Class

  9. Overall strategy Auditability Current draft next VVSG: With inclusion of alternatives: SI - Auditability SI IV Audit Port IVVR Innovation Class E2E IVVR Innovation Class

  10. Overall strategy Make auditability, not SI, an overarching requirement Moves focus to the trustworthiness of audit records Allows some reliance on software based on trust in audit records How is auditability achieved? Software independent approaches: IVVR E2E systems Independent verification systems Secure audit port Innovation class without SI restriction

  11. E2E cryptographic approaches • What is an E2E system? • Allows voters to verify votes cast as intended, counted as cast • Strength of crypto algorithm for encoding/decoding ballots is proof of correctness • Audits can be much simpler, voters can self-audit own ballots • Usability and accessibility issues easier to address

  12. E2E cryptographic approaches President Governor Receipt 101001 101010 Voting Stage

  13. E2E cryptographic approaches Receipt 101001 101010 Verification Stage Home PC Remote access

  14. E2E cryptographic approaches • Pros: • Generally considered to be software independent • Election is verifiable by public • Electronic audit records • Cons: • Emerging technology • Usability/Accessibility issues to be addressed • Long-term effort (research, standardization, implementation) • No commercially available implementations

  15. Independent Verification Systems • What is independent verification? • Two or more devices record cast ballots • Voter verifies that records match • Alternatively, one of the devices is a trusted device

  16. Independent Verification Systems President Governor Voting Device President Governor Witness Device Page 16

  17. Independent Verification Systems • Pros: • Electronic audit records • Redundant independent cast vote records • Usability/Accessibility potentially easier to address than with IVVR • Possibly an add-on technology to current voting systems • Cons: • Software dependent • Long-term effort (research, standardization, implementation) • Limited commercial availability • Architectural building a trusted device • Certification and interoperability issues

  18. Secure audit port • What is a secure audit port? • Similar to Independent Verification systems • One-way communication • May not be direct voter verification • Records voter and machine actions to construct voter choices- not necessarily cast vote records

  19. Secure audit port President Governor Voting Device Audit Device Page 19

  20. Secure audit port • Pros: • Electronic audit records • Allows for audit device innovation • Allows choice of audit devices • Similar to existing commercially available architectures • Cons: • Software dependent • Certification and interoperability issues • Security dependent on audit device functionality • No audit device specifications in VVSG • Medium-term effort (standardization)

  21. 2. Ballot on demand BOD: device that can print ballots on demand for use in elections Reduces need to pre-print and transport ballots to polling place NIST to research the feasibility of including BOD requirements in the VVSG Do election official needs require further research before requirements can be written?

  22. Current analysis BOD not a mature product yet Earlier NIST research with EAC boards identified diversity of opinions on what BOD should encompass A backup EMS application for emergencies A dedicated application possibly integrated with an epollbook Somehow integrated with a DRE

  23. Feasible, but NIST would need to conduct more research to focus on specifics VVSG impacts BOD in various ways Core: reliability, accuracy, misfeeds Security: ballot accounting, voter privacy, forgery-proof paper Human factors: usability for voters and poll workers, suitability for audit, accessibility Current analysis (cont)

  24. 3. Vote by phone systems VBP: voters use telephones and guided prompts to place votes, electronic and paper ballots printed out at remote office Does the VVSG, as written, prohibit VBP?

  25. Analysis Is feasible to permit VBP, but Will require some reworking of VVSG device class structure Will require strong cryptography and other communications security Would need to research usability of guided prompts for voters May not meet interpretation of HAVA regarding accessibility

  26. 4. Separately certifying components, interoperability of data format Develop a feasibility study of the ramifications of the EAC separately testing and certifying components Research requirements for interoperability between systems and system components NIST to research whether a specific standard for format of electronic election data can be required

  27. Current analysis VVSG conformance testing does not address interoperability: Adherence to a standard is alone not sufficient, implementations will still differ A separate interoperability testing program would need to be contemplated There is still a need to test the voting system as a whole, i.e., “The system is more than the sum of its parts.” A voting system architecture would need to be specified to know what needs to be interoperable

  28. Current analysis (cont) Premature to require a specific standard for the format of election data, more vetting needed Whatever chosen should natively support all voting variations in the VVSG Should be vetted by U.S. voting system vendors Interoperability should be demonstrated

  29. 5. Early voting & vote centers Addresses questions as to whether VVSG prohibits or impacts use of voting equipment in early voting or vote centers Especially of concern with regard to use of epollbooks

  30. No impacts seen, CRT requirements accommodate early voting and vote centers VVPAT requirements anticipated multi-precinct use of equipment Electronic poll book requirements permit network connections to central voter registration databases Caveat: cannot network poll books to vote capture devices and databases at same time Current analysis

  31. 6. Goal level requirements Identifying goal level requirements Requirements that can identify goals but are untestable Requirements that could be tested but testing will be subjective and non-repeatable

  32. Why Goal Requirements? Some requirements express a goal to be met by the vendor Is kind of a performance requirement, but without clear performance measures Often done to avoid constraining design requirements

  33. Obvious examples Systems SHALL maximize integratability with other systems and/or devices of other systems. Goal is for interoperability, but is untestable The procedures for system setup, polling, and shutdown, as documented by the manufacturer, SHALL be reasonably easy for the typical poll worker to learn, understand, and perform. Testing will be subjective It will be non-repeatable VVSG has roughly 20-30 goal level requirements

  34. Could be deleted or included as informative text or as “should” requirements Additional research could be conducted to make the requirements more specific Trade-offs exist as to amount of research Expert judgment may suffice in some cases Current analysis

  35. Summary Snapshot of current analysis was presented Research is very preliminary NIST vetting is not complete Analysis could change by September Final document due in September

More Related