It's not an engineering problem, it's a political problem. To the extent that it's engineering, it's solved if we would only adopt the known good approaches.
But we won't because there is political utility in having elections remain murky and messy for parties who may benefit from manipulation of the vote through disenfranchisement or other shenanigans.
I think paper ballots should be collected at each polling location.
I also think paper ballot totals from each polling location should be published publicly in a variety of forms, so that the totals can be added independently.
Paper ballots get counted publicly. Anyone that would like to witness it can attend for any amount of time and call out miss counts. Totals are read out on live TV.
The most successful attacks on democracy are gerrymandering (US especially) and misinformation (global problem, see Brexit thou specifically). Don't get me wrong, this sort of security is necessary but there's nothing wrong with tossing out the machines and using real paper ballots with a pencil (thus sidestepping the problem). You can even machine-read those for a machine count (which can be verified since the paper ballots are still around to rescan with different hardware/software for validation).
How do you engineer around the misinformation vector thou? That's the hard problem.
The premise of democracy, at least the American incarnation, is to allow people to believe whatever they want to believe. As a candidate, you have the freedom to say whatever you want. Even if everything they say is true, they can draw attention to the wrong issues, or stoke fear. To argue against misinformed voters is to argue against the foundation of the process. It's not just foreign countries dropping propaganda to disrupt sensible consensus, its the people themselves running who are propagating misinformation.
"In a Democracy, the real rulers are the dexterous manipulators of votes, with their placemen, the mechanics who so skillfully operate the hidden springs which move the puppets in the arena of democratic elections. Men of this kind are ever ready with loud speeches lauding equality; in reality, they rule the people as any despot or military dictator might rule it." - pobedonostsev
At the end of the day, whoever either spends the most money yelling out a megaphone, or gets the most attention yelling, gets elected. Except for times like Trump exploiting the modern news/press cycle for his own benefit, most election winners are the one who spends more money. I think the last time the lesser spend won a presidential election was Carter running against Ford. Goldwater got spanked as well, compared to spending.
In some sense it's very democratic for leaders to promise the moon. It's a bit worse for countries where coalition governments are the norm. Parties hide behind the coalition when they can't (inevitably) make everything happen they promised in the campaign for votes.
Not only are paper ballots simple and effective, they can be mailed out 2 weeks ahead of time and people can vote with a laptop, at their leisure. Also, you don't have to store them for three months at a time with proof of custody, you can just scan them, or dump them once the election has been certified.
Voting machines sound great but that it's solving a problem by doing things the same with tech.
Where I come from, the voting machines create a paper with the votes, which the voter gets to review. That seems to have all the advantages of the paper ballots, with the electronic advantage of rapid totals.
I would like to see spot checks - pick a few precincts at random, and compare the electronic totals to the paper.
the paper ballots via mail handle infrastructure and are counted by machine with spot checking. Also, you can go to the vote counting floor at any time and be part of the process.
However you don't have to setup/store machines, and people can vote over a few days which means better access to everyone.
Voting by mail has an even more massive security hole, in that ballots can be stolen, or people coerced (or paid). To my knowledge that hasn't happened yet, either in Oregon or in absentee voting, but with the level of discourse being what it is, I suspect it could easily become a problem.
I hear this from time to time but a massive security hole is putting everything in one place on the internet.
The coordination and effort required to go door to door stealing ballots out of mailboxes or taking van loads of ballots from a post office, in a day and age where every block has dozens of cameras. There is also a step where you get a code, and you can log in and see how that ballot voted.
Think about the amount of money required to pay people to vote, say people will do it for $10, and everyone you ask that doesn't do it also keeps their mouth shut. You're talking about hundreds of thousands of dollars to influence state level elections and millions for country wide elections.
The beauty of mail, is that while there are attack vectors, they are expensive, easily noticeable, and have a very high barrier to entry.
On the other hand, say you have a perfect voting machine, I'm skeptical, but I'll give you that, it's certainly possible. Now, lets assume that they have to either be stored in a warehouse with armed guards, or reimaged every time they are used. There's a simple attack vector there of only one or two people you have to turn. This is the old crypto breaking with a pipe wrench vector, though cash money is probably just as easy. That is the same failure that paper has, but you have to go to hundreds of thousands of places to get that done. You can probably keep a couple people quite, but a few thousand?
Paper by mail has a very high tamper barrier and is available now. States could do it in November
>How do you engineer around the misinformation vector thou? That's the hard problem.
You can solve both with good education but public education will never teach people to think critically about government en-masse because the committees of bureaucrats that decide the curriculum and the teachers that teach it get a government paycheck at the end of the day. They're not gonna be inclined to go all out when it comes to teaching people about things like gerrymandering, propaganda, etc. This is not for any nefarious reason or the result of any conspiracy, people just tend to see the good but not the bad when it comes to their source of income. The incentive system is simply not set up in a way to produce voters who think critically.
Use the post office. Use paper ballots in the mail. Many security issues vanish if polling places are no longer rich targets. In my state of residence, my ballot is sent in the mail, and I get SMS notifications when it is sent to me and when it is counted.
Oregon and other states have a documented history of nonissue with this system, especially compared to existing systems in Georgia or NC. Vote by mail is incredibly successful in getting people to vote securely. It's those who wish to decrease turnout or ability to vote who fight such successful systems.
There is a liberal majority that votes democrat, not republican. Guess which states make it easier to vote and have a voice in our democracy? It isn't the red ones.
Yes, I agree with you that the additional convenience leads can help with turnout, which is a specially important thing these days.
However, here in Brazil I am convinced that vote-by-mail would only exacerbate the widespread vote-coercion problems we already have in areas that are dominated by drug traffickers or paramilitary groups.
(While we are at it, there are lots of other factors other than vote-by-mail that affect voter turnout and voter disenfranchisement. Certainly one of the biggest ones is that the US elections do not take place on a national holiday, and that there can be a lot of bureaucracy involved in registering as a voter)
We have a system where you can go and see a webpage say your vote was counted after you mail in your ballot. What you can't do is tell if that webpage is accurate.
This still feels like a tractable problem in the domain of pure crypto if you divide it into a commitment scheme and a tabulation step.
I like the idea of snail mailing a PIN number for an online system. But I’m a layman on the security issues that complicate what seems easy, is it the MITM risk of anything over a wire?
Disenfranchisement (e.g. requiring voter ID) and gerrymandering are far more significant issues for the democratic process in the USA than ballot security, which is a relatively solved problem.
Most countries automatically and freely issue said ID, the voter ID attempts in the US disenfranchise poor people and people who, for whatever reason, cannot attain the ID required.
Source? In the US I need a valid ID to cash a check, pick up a benefit check, apply for government benefits, buy cold medication, board an airplane, open a bank account, etc. This is a short list off of the top of my head. Are all of these activities disenfranchising me?
You can sign it over to someone else and have them cash it. Also many employers (especially in poor areas) offer paychecks on a prepaid card. No check necessary.
> apply for government benefits
You can often do this with lesser IDs such as a birth certificate or school ID, which are often not accepted at the polls.
> buy cold medication
Poor people don't buy much cold medication.
> board an airplane
Poor people don't board many airplanes.
> open a bank account
Poor people are notoriously underbanked, and often don't trust banks anyway (especially since banks have a bad habit of targeting the poorest customers with the highest fees).
why should I need to be able to drive to vote? Or go through the rigamarole of getting a passport?
ID in the us is a huge pita. There no reason to require it for voting anyway, fraud isn't a real problem. it's just a good way to prevent poor people from voting.
IDs are not a problem in principle. But there is barely any voter fraud at all (see Trumps commission), thus no real reason to enact law. Why do politicians non the less spend their political capital doing so? Often their new rules just so happen to help the people voting for them and hinder their opponents. North Carolina [0] was one of the more egregious cases.
Most countries register their citizens to vote too, and have national ID. If you were already registered to vote in the entire union automatically, and you had an ID-card (like the SSN, but actually good for identification with any security built into it) that would work everywhere in the US I wouldn't have a problem with requiring voters to ID themselves.
Why the US refuses to do either of those things, instead putting a lot of hassle on the population when election participation is so low it jeopardizes the fundamentals of democracy, that people feel like the government actually represents them, I have no idea.
At the polling place they have a list of registered voters and mark them off when they vote.
If people were voting under other people's names in significant numbers, it'd be obvious when the real voters came in and found out they were already marked. That very seldom happens.
The reason people don't do it is probably that an extra vote or two is unlikely to make any difference, so the risk/reward is poor. It's hard enough getting people to take the time to vote in the first place, much less risk a felony conviction to vote more than once.
There's two problems. One is duplicate votes, which may be an insignificant problem. The second is public perception of the fairness and security of elections. The first is a problem; how big a one I don't know. The second is a problem, and a big one.
Step 1) Make sure the guy in charge of bringing election security bills to vote on the Senate floor can't accept campaign donations from voting machine companies [1].
Step 2) Bring election security bills to vote on Senate floor.
Both are important, but WRT elections, faith in security is as important as actual physical security. I don't see how a black box of tech can convince a layperson that voting is secure. We need more in the way of audit trails and accountability.
The toughest part is ensuring anonymity and privacy while ensuring someone can only vote once, ensure the vote is legitimate, and accounted for.
The only way I can see that is using a PKI-based ID to validate the ID of someone, but then how do you ensure that person can vote anonymously and only once?
Back when we were all agonising over "Hanging Chads" in Bush v. Gore, Bruce Schneier published a series of collaborative works featuring the back & forth design of secure paper ballots + digital voting. So that was what? 2000?
Surely the problem then isn't technical, it's cultural and political.
IMO it shouldn't be all or nothing, here's a system I think would be the best of both worlds:
- Allow people to express voting intent & go through the candidates on the ticket with a website/app (as strong as it can be), which spits out some random ID/QR code
- Widen voting time period to months
- Support mail-in-ballots in more states
- Add a mandatory # of holidays per year (with proof of vote, notification of which local/national election the person is voting in)
- Require people to confirm their vote in person, with the option to vote with the QR their phone generated (and a confirmation screen afterwards for them to review), with every vote required to take a certain amount of time in the booth (to prevent timing people to figure out if they used their cell phone or not).
This setup allows for a few things:
- Early consideration of candidates and their positions and the ability to save how you were going to vote once you're in the booth
- More signals of voting intent that could be used to detect fraud (in addition to random sampling)
This scheme probably needs more thought to prevent election tampering, but I think adding a digital element as additive would be a benefit. If the digital element detects voting intent that sharply diverges from voter rolls, then a recount in whatever county is triggered.
I had thought that this was a great opportunity for blockchain, if identity could be solved reliably. That being said, identity is already being solved through IDs, voting stations, home-delivered ballots, etc.
The audit-ability and reproduce-ability would be great features, while cost and latency wouldn't be huge problems for voting.
There were even a few start ups in the space (e.g. Votem), but none seem to have made the jump to doing real elections. Votem did a few smaller voting experiments like a vote for the Rock & Roll hall of fame, but never made its way to state elections.
I hope that DARPA can not only inspire innovation, but also help startups break into the difficult game of government contracting.
You can't have an anonymous system that simultaneously allows meaningful verification: if there is no way to tie me to my vote in the system, then there is no way for me to prove that my vote was misrepresented to anyone but myself. Even if there were, there is no way for me to prove that my claim about my vote is correct. Even if many people come out claiming that their votes are mis-represented, there is no way to know whether that is a sign of errors/tampering with the system, or a concerted campaign to try to put the election in doubt.
Any system which foregoes physical proof of voting as a base for the count, relying instead on after-the-fact verification, is open to this problem. A complex system, whether software or even mechanical, can never match this level of confidence.
I wonder if biometry (e.g. a fingerprint) could be reliably used as the private key (and thus the identity on the blockchain). That is, without a 3rd party / external system.
For trust, the network (as any blockchain network) would have to be properly decentralized, and (good or at least benevolent) people would have to be incentivized to run the network. I.e. there would be a monetary value (a coin, or a token), which would have its own pros and cons as seen by various parties.
(Mentioning fingerprints, I cannot but reference the movie Southland Tales, which in my view was the most prophetic movie ever made.)
There used to be a problem with vote buying / coercion. If you can prove you voted one way or another, you can sell your vote, or your employer can fire you for voting the wrong way (for example).
Given postal votes are a thing, and have been for many years (at least for UK/AU/NZ), is there still such stringent requirements on making it difficult/impossible to buy/coerce votes? Since both can be done using postal votes already.
Does this then open up more digital options? Eg app based voting where your vote is published along with everyone elses but in anonymised form, so everyone can independently verify the totals. By anonymised I mean the app displays a random “vote reference ID” that you could check in the final published ledger to see your vote was included, and was recorded correctly.
1. go vote
2. check to see who hasn't left their house today via open source GPS indicators
3. vote as them too because its illegal for those at a voting station to ask to verify your identification
4. ???
5. undetectable voter fraud
There's a high chance you'll go try to vote as someone who simply didn't register. In California you could then register as that person and vote provisionally, but polling officials will check your identification.
Alternatively you may attempt to impersonate someone using vote by mail. In that case, there won't be a ballot to vote at the polling station, and even if you are able to successfully register provisionally or convince polling workers to give you a blank to fill out, election officials are already looking for these kinds of duplicates.
I know Ron Rivest has a lot of interest and work invested into securing voting system.
I can't point you to a direct paper, but if you Google it I'm sure you'll find more then enough.
Those who are involved in the American election industry, from government to vendors or consultants, have committed to a platform based on verified C. The industry continues to refuse to adopt a memory safe language such as Rust. Granted, the investment in a new toolset is costly. However, the benefits are very compelling. In the meanwhile, industry will crutch its toolset decisions with white hat hacking events, bug bounties, millions of dollars in contracts supporting audits and testing, etc.
Path dependence is costly. In the case of elections, more than money is at stake. Industry must move beyond verified C to Rust.
Ballot security is a solved problem (but, sadly, I think DARPA knows this, which makes me wonder what’s really motivating this work):
Use paper ballots. Scan them at the polling place for fast electronic tally.
Audit a significantly significant random sample of the paper ballots after the election, and do a full recount if any discrepancy is found.
Prosecute people that violate chain of custody for the ballot boxes. (Give this power to a non-partisan authority.)
There are open problems around tampering with voter rolls; this is done both by state governments and foreign powers. We still need a scheme to make this more detectable (and to invalidate the election when it happens).
Occasionally we hear about “found” ballot boxes especially around recount time. How do they get lost. Or what does it mean when they say they lost them (and found them). I’d imagine it’s more prevalent than we hear as it seems rather odd if they only disappeared and reappeared in contested elections.
Exactly. If chain of custody is broken, it's not in the pile. People from all sides of the electorate should be able to observe every box at all times if they wish to follow it.
Mail in voting is similarly exceptionally easy to game. Oops, lost 1% of that zip code... bummer...
Imagine a very large mostly volunteer-run event that only runs once a year or so and where some fraction of the volunteers are running the event for the first time.
At the end of the day all the important equipment gets packed up, shipped somewhere, and unpacked.
But sometimes -- rarely, but sometimes -- some really important piece of equipment gets left behind at the event site or unpacked incorrectly at its new location.
I just described marathons, carnivals, and... voting.
In Germany, we also have paper based voting and yet, we do not have the issue that ballot boxes disappear. Everything and I mean literally everything is accounted for and if the numbers do not match up (e.g. less boxes of ballot boxes than before, or n(valid votes)+n(invalid votes)!=n(total votes) there is an immediate recount. No one leaves until shit is done, and if it gets too late everything is packed up, sealed and boxes counted.
The horror stories of the US are a failure of their system, not of paper voting.
That's normal in New Zealand as well. I can vote with no form of ID.
Requiring voter ID disenfranchises marginalised and poor voters, who may not be able to obtain ID easily. I know several people who have no form of government issued ID.
It's different in countries like Germany and France, where compulsory national ID is a thing.
Rates of fraud and abuse are low enough that this isn't an issue. Technically I could go and vote in somebody else's name, and hope they also didn't vote, and I most likely wouldn't get caught. But if they did vote as well, then the double-vote would be noticed (people have have been caught casting multiple votes in the past) and would be investigated.
I'm not sure what the laws are in NZ, but can a non-citizen vote in a NZ election? If noone checks for any sort if ID, how do they ensure that there isn't any fraud? In a democracy, I'm honestly not convinced that 'its not that big of a problem yet' is a sufficient answer
The problem is that the system would be run by racist state governments who would construct the system in the worst possible way.
(Not a conjecture, this was actually evidence in one of the various voter ID lawsuits; the state government had constructed a table with impact assessments of various approaches, then picked the one with the worst impact)
Just because ID is free does not make it universally accessible.
If the office that hands out ID cards is only open 9-5 Mon-Fri, for example, a voter who must work during this time and can't afford to miss work may not be able to get ID.
It’s not for you to buy. This is a well studied, well analyzed area because the GOP wants voter ID laws to reduce minorities and the poor at the polls.
Not everyone has a car, and if you don’t have a car, then you probably don’t have a passport, and if you don’t have a car or passport, then you likely don’t have a valid photo ID.
It doesn't require ID but is verified against other records and against the electoral register in other regions, i.e. you can't register in two different places. When housemates have moved out I have received letters asking me to re-confirm who is living in the house for the electoral register.
> I think this is a big part as to why postal voting fraud happens.
It might happen, but it is exceptionally rare. The impact of introducing voter ID laws would cause a far larger decrease in election validity due to voter suppression than postal voting fraud causes.
Sounds good, just get rid of the ballot box problems by scanning the paper ballot right after it's cast. Voting would go like this: wait in line, confirm your address, vote on paper, watch the person upload your vote, take your printed receipt confirmed the upload was received, leave. Security problem solved.
You don't digitize elections for efficiency. You do it for security. The idea that paper ballots are a secure form of voting is ridiculous. The only reason people think that they're secure is that they're so profoundly insecure that we have no way of auditing them effectively and so never uncover anything that may be happening to them.
Not to mention the fact that access and efficiency are in fact forms of election manipulation. The inefficiency of the process keeps people from voting who otherwise would. That has political consequences and is absolutely used as a means to cause outcomes that otherwise wouldn't happen.
Uh, no. Computing is the absolute opposite of security. Doubly so for anything networked.
If you want to take anything secure, and make it unsecure, simply transform it from paper, and put it on a computer. Bam!
Paper is millions of times more secure than a computer. No piece of software is ever, ever secure. There are always, literally always thousands and thousands of hardware, and software vulnerabilities just waiting to be exploited.
Compared to any form of computerized voting, ballots are insanely secure.
But what you're missing here is process. Paper voting has been around for a very, very long time. Process is well established, very simple to do, but it seems the US is always changing how to count, how to tally, and more.
But, to pause and take a step back ... I'm not sure how you think adding a computer to the mix, improves auditing. The entire point of a voting system, is that your vote remains anonymous. Therefore, the device or method that records your vote? Must not ever ever be assigned to you. And this also includes any form of anonymization.
This has also been handled for a very, very long time. Again, by process.
I wonder, how many years have you (or others advocating a computer inserted into the voting process), studied in depth the chain of trust used with paper ballots? Or precisely how ballots are counted? Or, even months? Weeks?
All I know is that when I researched paper ballots here in Canada, every aspect I could think of was covered. And that's what you'd expect, from a voting process that evolved over literally hundreds of years, with deep thought put into each voting cycle.
> If you want to take anything secure, and make it unsecure, simply transform it from paper, and put it on a computer. Bam!
In what way, exactly, do you think paper voting is 'secure'? Do you think pieces of paper cannot be forged? Do you think it's difficult to swap out election boxes or to alter ballots?
> But, to pause and take a step back ... I'm not sure how you think adding a computer to the mix, improves auditing. The entire point of a voting system, is that your vote remains anonymous. Therefore, the device or method that records your vote? Must not ever ever be assigned to you. And this also includes any form of anonymization.
Sure, if you think about it for only about 1 second, the system you might come up with sucks. However, people have thought about it for more than 1 second on occasion, and come up with some pretty good designs:
Again, you're missing the key here. Process. And current paper process includes audibility, security, and more.
Done correctly, it is insanely difficult to swap out an election box. Where would you do it?
At the polling station, where members from ALL political parties are present? Volunteers are present too. All together watch the voting process, following through to opening the ballot box, and performing the initial count.
How, then, are election boxes to be secretly swapped?
On top of this, all ballots are serialized. Each voting station has multiple voting boxes. Voting boxes are sealed. How are you going to compromise them?
What I find astonishing, is how intensely some people seem to want to use computing for everything. Paper ballots, and the process used to employ them, are incredibly secure. Incredibly.
Its a problem that absolutely, positively does not need to be solved. At all.
Yet people are consistently working very diligently to do so, and the only real reason for that is one. Profit.
And we don't need that motive in an election counting process.
So, you believe that because a small group of people are kinda sorta overseeing this process over a long period of time, it is secure? Large groups of people watching intently are deceived extremely effectively and reliably by magicians all the time. I see no reason to think that the mere fact that some random citizens are "overseeing" the process makes it in any way secure.
The point is: a properly designed cryptographic voting system would make all of this provably secure. We wouldn't need to rely on witnesses paying attention, any citizen would be able to verify the integrity of the entire election on their home computer. That is why electronic voting is the best system.
Nope. You never can audit most of it. Especially the hardware and firmware at vote time.
And that's a false arg anyway, even if you could "audit" it (ask the hardware nicely to not lie to you:), it's still a (really) bad idea: https://www.youtube.com/watch?v=w3_0x6oaDmI
I know why you think that is so. But I have already explained elsewhere in this thread why you're wrong. So why don't you look into it a little for yourself.
Of course pieces of paper can be forged... one at a time. To do so in volume requires a somewhat large operation.
I mean, sure, anyone with a laser printer can print 10,000 pieces of paper. 10,000 ballots, though... you'd have to get the right paper, the exact size, the exact font and layout. Then you'd have to move your printed ballots into the ballot stream, upstream of where they're counted. That could be done, but as I said, it's a somewhat large operation.
Compare that with changing a SIM card, where you can change multiple votes at once.
If all it takes to defeat your electronic voting system is changing a SIM card then you haven't designed a very good electronic voting system. There are cryptographic voting schemes that are much harder to defeat than that, and i've already linked them in this thread.
Affecting a(n electorally) significant number of paper votes requires the compromise of more people and leaves more evidence than for electronic votes. (In general, for the quality of voting generally seen in first world countries)
Can you do better in theory, yes. Have we seen any evidence that various US election bodies can do better through using electronic voting, no. The exact opposite in fact.
It's similar to passwords: writing down all your passwords in a notebook and keeping it in your desk draw is a bad idea. But it's usually significantly harder to break into millions of desk draws than to break any given site's security.
> Affecting a(n electorally) significant number of paper votes requires the compromise of more people and leaves more evidence than for electronic votes. (In general, for the quality of voting generally seen in first world countries)
If we didn't have an electoral college, that might be true. But the reality is that you don't need to compromise that many people in that many places to have a decent probability of tipping a close election one way or the other.
> Can you do better in theory, yes. Have we seen any evidence that various US election bodies can do better through using electronic voting, no. The exact opposite in fact.
Which is exactly why DARPA is researching the problem.
I thought it was nonsense when I first heard it, but the traditional paper system is actually more secure than a completely digital system. Here is a really good video explaining it: https://youtu.be/w3_0x6oaDmI
Blockchain all the votes with layered encryption...
Top Level) General population can only verify their own votes
Mid Level) Counties can tally their county only
Low Level) States can tally up their states only
Ground Level) Federal government can tally up all votes.
The blockchain ledger will allow everyone to see votes without knowing individuals. To get name and location and other data, you need to be at a lower level.
Individuals can see their own vote, and who they voted for, right?
If that's the case, it would be evidence that an individual voted for a specific candidate. This is, essentially, proof for anyone who'd want to purchase votes.
If they can't see who they voted for, they'd need some alternative way to verify that their vote counted for the candidate they wanted to vote for, without actually disclosing who that candidate is. Which would add some complexity to the solution.
You could also add a second layer of security here pretty easily. People would probably need to be given a printout with their hash on it. To avoid this receipt being proof, that receipt would include a large number of hashes with various voting combinations also shown. The voter knows which hash is his, but nobody else does. And he's free to claim whichever one he likes for himself.
To solve the issue of first voters (when there would be no other valid hashes for their printout) simply seed all candidates with a billion votes to start. Which hash is real and which is 'fake' is irrelevant since all that matters is the sum total of which we know 1 billion are to be removed.
How would that work? If they would get any hash that is not bound to them in any verifiable way, how does that prove to THEM that they are verifying their own vote?
Another complexity is ensuring there aren't superfluous votes. Everyone can verify their own, but what if there were several million "hacked" extra votes.
This is a pretty easy one to solve since the number of votes is not privileged information. Simply publicly record the number of votes as each person goes into vote. This can be verified/observed by whoever wishes to do so. You could even require a large public display at each station. Pair that with a camera record that can also be verified. One person enters, the display should go up by one. And from there you have simple math:
The sums of the polling stations should equal the district.
The sums of the districts should equal the state.
The sums of the states should equal the nation.
I have to say it also makes me wonder what in the world darpa is thinking. Modern technology possible, somewhat trivially, elections that would be nearly impossible to fake in any way, shape, or form. And I'm certain this isn't exactly a secret to darpa.
You'd want a system where each citizen receives an ID/key, and there is no way to who a particular ID/key voted for, but if you know your ID/key, you can look up whether you voted. This should deter anyone from voting in anyone else's name, since they'd be likely to be exposed if they did it at an impactful scale.
The only other way to forge votes would be to invent new people that don't really exist, or maybe piggyback on recently deceased people. These are both problems that should be fairly straightforward to address if you have decently efficient administrations keeping track of things.
A simple way would be to use a public key ID that can be used to check if that key voted, and a private signing key. The list of all legitimate IDs is public (though not linked to identities). Anyone can see the total number of legitimate keys, and anyone can check to see how many of those keys voted, and verify that the number of voting keys from the national list is in fact equal to the global vote total. That same total and be cross-checked with the census and other sources of voting age population data.
> If election security is an engineering problem,
It's not an engineering problem, it's a political problem. To the extent that it's engineering, it's solved if we would only adopt the known good approaches.
But we won't because there is political utility in having elections remain murky and messy for parties who may benefit from manipulation of the vote through disenfranchisement or other shenanigans.