STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System Josh Benaloh (Microsoft Research) Mike Byrne (Rice University) Philip Kortum (Rice University) Neal McBurnett (ElectionAudits) Olivier Pereira (Universit´ e catholique de Louvain) Philip B. Stark (University of California Berkeley) Dan S. Wallach (Rice University) Abstract In her 2011 EVT/WOTE keynote, Travis County, Texas County Clerk Dana DeBeauvoir described the qualities she wanted in her ideal election system to replace their existing DREs. In response, in April of 2012, the au- thors, working with DeBeauvoir and her staff, jointly ar- chitected STAR-Vote, a voting system with a DRE-style human interface and a “belt and suspenders” approach to verifiability. It provides both a paper trail and end-to- end cryptography using COTS hardware. It is designed to support both ballot-level risk-limiting audits, and au- diting by individual voters and observers. The human interface and process flow is based on modern usability research. This paper describes the STAR-Vote architec- ture, which could well be the next-generation voting sys- tem for Travis County and perhaps elsewhere. This paper is a working draft. Significant changes should be expected as the STAR-Vote effort matures. 1 Introduction A decade ago, DRE voting systems came with a promise of improvement. By having a computer mediating the user’s voting experience, they could ostensibly improve usability through summary screens and a variety of ac- cessibility features including enlarged text, audio out- put, and specialized input devices. They also promised to improve the life of the election administrator, yield- ing quick, accurate tallies without any of the ambiguities that come along with hand-marked paper ballots. And, of course, they were promised to be secure and reliable, tested and certified. In practice, much of this was wishful thinking. Many current DRE voting systems experienced their biggest sales volume following the demonstrated failures of punch card voting systems in Florida in the 2000 presi- dential election. The subsequent Help America Vote Act provided a one-time injection of funds that made these purchases possible. Now, a decade later, these machines are near the end of their service lifetimes. Last year, the election administration office of Travis County, Texas, an early adopter of these DRE systems, concluded that current systems on the market were in- adequate for their need to replace their end-of-life DRE systems. They were also unhappy with the current- generation precinct-based optical scanned paper ballot systems for a variety of reasons. In particular, hand- marked paper ballots open the door to ambiguous voter intent, which Travis County unhappily had to deal with in its previous centrally-tabulated optical scan system. They didn’t want to go back. Likewise, with early voting and election day vote centers that must be able to give any voter who arrives at any location the proper ballot style, pre-printed paper ballots would be a management nightmare. Ballot-on-demand printing systems require laser printers that cannot run all day on battery backup systems 1 , which restricts their reliability. A group of academic experts in voting systems was assembled to design a replacement system in sufficient detail that bids could be solicited from manufacturers to implement the system. Our group included experts in cryptography, auditing, and usability, leading to some in- teresting challenges and questions. We were given sev- eral basic constraints: The user experience must resem- ble current DRE systems, but there should be a tangible voter-verifiable paper ballot, printed by the machine and deposited by the voter into a physical ballot box. This would allow for fast machine tallies and statistical au- dits to ensure their equivalence to the paper records. The system must be able to run all day on battery power. We were free to recommend sophisticated end-to-end crypto- graphic methods, privacy-preserving risk-limiting audit- 1 A laser printer may consume as much as 1000 watts while printing. A reasonably good UPS, weighing 26 kg, can provide that much power for only ten minutes. Since a printer must take time to warm up for each page when printed one-off (perhaps 10 seconds total per page), as few as 60 ballots could be printed before the battery would be exhausted. 1 arXiv:1211.1904v1 [cs.CR] 8 Nov 2012