> That's all assuming the voting machine is actually running the software/hardware they tell you - how would a voter check?

Have dedicated hardware compute a hash from the content of program ROM on demand with a button press and present it on an auxilliary 7-segment display. Compare against the hash of the vetted image. No software need be involved.

At some point in the process, machines will be used for tabulation. You have to trust the hardware to some extent. Just keep it as simple as possible to minimize confounding complexity that an attacker can hide in.

> Have dedicated hardware compute a hash from the content of program ROM

How do you check the circuit of that hardware?

How do you know the ROM you are reading is the ROM the CPU is executing from?

How do you know the CPU is the architecture you think it is and the program means what you think it means?

> You have to trust the hardware to some extent.

No, you don't, and you shouldn't. You can do all of that calculation by hand. And at the very least you can check a random selection by hand.

> Just keep it as simple as possible to minimize confounding complexity that an attacker can hide in.

In other words: Don't use electronics. You can't get simpler than pen and paper.

If the compiler was compromised, how do you know the vetted image is correct? If the hardware was compromised, then the software will still hash to the correct value. And once the attacker knows where you're getting the dedicated hardware for the hash, he can compromise that as well.

And the entire system relies on the people implementing it to not have been compromised. Because if they were, if the government itself compromised the machines, the voters could never tell. How good is a voting system that only works if your government is honest?

I think it's unfair to say there is no point in e-voting besides malice.

e-Voting could make it easier / cheaper to deploy polling stations, collect ballots faster, and potentially to use more complex (but more fair and accurate) voting methods like Ranked Choice or others.

As for the "We won't tell you how you voted but you can validate it", my first guess would be some kind of PKI where you are given the equivalent of a private key, and your results are signed.

There are issues trusting hardware vs. trusting the sight of paper and two humans, I get that. But it's worth researching.

> e-Voting could make it easier / cheaper to deploy polling stations, collect ballots faster, and potentially to use more complex (but more fair and accurate) voting methods like Ranked Choice or others.

In Australia we use IRV (what you call ranked-choice) and we don't have any forms of electronic voting for federal elections, and the overwhelming majority of votes cast in state elections are paper ballots (which are hand-filled). You don't need e-Voting to solve that problem.

Your votes are still probably counted by a computer. In San Francisco, we use optical scan ballots. This system is very similar. It prints out a ballot that you validate and feed into an optical scan machine. Marking the ballot is electronic, which allows for more language choices, assistance for hearing impaired people, etc.

> Your votes are still probably counted by a computer.

They are not. The count is done thrice, by hand, under supervision by scrutineers appointed by candidates.

It works very well.

Maybe not for IRV specifically, though it would arguably be easier anyway.

There are more esoteric (see, mathematically dependent) voting systems that meet the Condorcet criterion.

Sure, but computer vote tallying and e-Voting are not the same thing.

> But it's worth researching.

Yet they keep pushing for half-baked insecure systems long before any of this research has been finished.

Do you want it looked at, or not? You make no point. You get mad about the research, then get mad about some wanting to do it without enough research.

Is your point that we should never, for the rest of time, investigate the use of electronics for secure voting?

I'm sorry if this comes off as a bit hostile, but did you read at least the title of the article? "DARPA is building", not researching.

The content of the article reflected this - mostly about actually making a system, very little about research on the math behind secure voting on untrusted hardware. It's clear they want to use this.

I'm sorry, do you know what the acronym D.A.R.P.A. stands for, or that they explicitly stated they aren't the production implementer of any such system? Do you know what the network you're throwing packets at is based on?

Anything that relies on secure hardware/software is broken, since those are impossible to assure. The only part that can actually guarantee secure voting is everything that's outside the hardware. Things like cryptographic signatures, hashes, paper trails, whatever. Things that don't rely on the black box you're presented with when you vote to work how you think it works.

Researching that doesn't require a prototype. So why are they building one? As a first step to using a voting system based on it. This isn't 'research', it's propaganda to sell the idea that hardware can be secure. They'll give it to Defcon or whoever, and once they fix all the weaknesses hackers can find, they'll triumphantly declare it's 'secure', and that we can switch to e-voting, and not to worry our pretty little heads about chip/compiler-level backdoors, or if the builders of the system themselves subvert it.

They can state they won't be the implementer of such systems all they like, that doesn't change the intent of this program - to push e-voting reliant on 'secure' hardware.

DARPA isn't a voting system end user, and things built by DARPA tend to be proof-of-concept things that explore the possibility space and help later users set requirements for follow-on procurement.