The ThreeBallot Voting System
Ronald L. RivestComputer Science and Artiﬁcial Intelligence LaboratoryMassachusetts Institute of TechnologyCambridge, MA 02139
October 1, 2006
We present a new paper-based voting method with in-teresting security properties. The attempt here is tosee if one can achieve the same security properties of recently proposed cryptographic voting protocols, butwithout using any cryptography, using only paper bal-lots. We partially succeed. (Initially, I thought the pro-posal accomplished this goal, but several readers discov-ered a vote-buying attack (see Section4.4)that appearsto be rather diﬃcult to ﬁx without making the result-ing system much less usable in practice. Currently, thispaper should thus be viewed more as an academic pro-posal than a practical proposal. Perhaps some variationon these ideas in this paper might still turn out to beof practical use. The “OneBallot with Exchanged Re-ceipts” system sketched at the end of Section5.3.1,looksparticularly promising at the moment...)The principles of ThreeBallot are simple and easy tounderstand.In this proposal, not only can each voter verify thather vote is recorded as she intended, but she gets a “re-ceipt” that she can take home that can be used laterto verify that her vote is actually included in the ﬁnaltally. Her receipt, however, does not allow her to proveto anyone else how she voted.In this “ThreeBallot” voting system, each voter casts
paper ballots, with certain restrictions on how theymay be ﬁlled out, so the tallying works. These paperballots are of course “voter-veriﬁable.” All ballots castare scanned and published on a web site, so anyone maycorrectly compute the election result.A voter receives a copy of
of her ballots as her“receipt”, which she may take home. Only the voterknows which ballot she copied for her receipt. The voteris unable to use her receipt to prove how she voted or tosell her vote, as the receipt doesn’t reveal how she voted.A voter can check that the web site contains a ballot
The latest version of this paper can alwaysbe found at
matching her receipt. Deletion or modiﬁcation of bal-lots is thus detectable; so the integrity of the election isveriﬁable.
Designing secure voting systems is tough, since the con-straints are apparently contradictory. In particular, therequirement for voter privacy (no one should know howAlice voted, even if Alice wants them to know) seemsto contradict veriﬁability (how can Alice verify that hervote was counted as she intended?).The proposal presented here is an attempt to satisfythese constraints
the use of cryptograpy. We getpretty close...Like most cryptographic proposals, ThreeBallot uses apublic “bulletin board”–a public web site where electionoﬃcials post copies of all of the cast ballots (there willbe 3
of them if there are
voters) and a list of thenames of the voters who voted. (Some states might usevoter ID’s rather than voter names.)One key principle of ThreeBallot is to “vote by rows”and “cast by columns”. The ThreeBallot ballot canviewed as an array, where the voter places marks inrows corresponding to candidates, but then separatesthe columns and casts them separately, keeping a copyof one.ThreeBallot provides a nice level of end-to-endveriﬁability—the voter gets assurance that her vote wascast as intended and counted as cast, and that electionoﬃcials haven’t tampered with the collection of ballotscounted.
We assume that the reader is somewhat familiar withvoting systems. For more background, the followingreadings are recommended:
Roy Saltman’s new book,
The History and Politics