Testimony by Ronald L Rivest MIT Institute Professor Cambridge MA Venue Hearing held by Committee on House Administration Chairperson Rep Zoe Lofgren California Hearing Title Exploring the Feasibility and Security of Technology to Conduct Remote Voting in the House Date Friday July 17th 2020 Time 1 00pm EST Testimony both oral and written Chairperson Lofgren and members of the Committee I thank you for inviting me to testify regarding the feasibility of using technology for conducting remote voting in the House My bottom line is that such remote voting is feasible and can be made adequately secure By way of introduction I am an Institute Professor at the Massachusetts Institute of Technology my background includes computer science information security cryptography and election security I am well known for the invention with Adi Shamir and Len Adleman of the RSA public-key cryptosystem the first and still widely used implementation of public-key cryptography enabling both secure communications and digital signatures I have worked for over two decades on voting security I was a member of the Technical Guidelines Development Committee from 2004--2009 advisory to the Election Assistance Commission I chaired the subcommittee on Computer Security and Transparency I am a founding member of the CalTech MIT Voting Technology Project And I am on the Board of Verified Voting a non-profit promoting voting system security especially through the use of risk-limiting audits I speak here only about the security aspects of remote voting not about the appropriateness of remote voting for the House that question is beyond my pay grade I see that the House under Resolution 965 is already using proxy voting for remote voting That resolution also authorized the examination of ways to vote remotely in a secure manner hence today's hearing As noted I think the House is in a good position there are indeed suitable secure voting technologies available The important reason why that is true is that House votes are NOT SECRET Voting in the House is not based on secret ballots That makes all the difference as manipulation or alteration of votes can be detected and corrected For the record I note that in the US SECRET ballot voting was first implemented in Massachusetts in 1888 However implementing secure secret ballot remote voting is still beyond the state of the art Designing a secure voting system requires first of all a clear statement of the security objectives A system can't be said to be secure if there is no specification of what security should mean for that system What are the baseline voting security requirements Here are four 1 Only eligible voters can vote at most once each 2 Votes are cast as intended 3 Votes are collected as cast 4 Votes are counted as collected Each property should not only be true but be VERIFIABLY true Counting tabulation is not an issue since non-secret ballots can be posted publicly and the tally then verified by anyone One recommended principle for achieving voting system security is that of SOFTWARE INDEPENDENCE a notion developed by John Wack and myself This principle basically says that you never want to be in a position where you have to say Well the result must be right because the computer says so In other words the election outcomes must be AUDITABLE Here a sketch of a simple architectural approach for secure remote non-secret voting to illustrate -- there is a public web site where all cast votes are posted -- each congressperson composes his her vote digitally signs it and sends the resulting digitally signed ballot for posting on the public web site Many digital signature schemes are available NIST has developed digital signature standards Digital signatures are now implemented in every browser One approach uses the RSA public-key cryptosystem A nice thing about digital signatures is that the signature on a digitally signed document such as a ballot is verifiable by anyone Note that a digital signature is not just a cut-and-paste image of a handwritten signature it is a mathematical function of the message being signed and secret information specific to the signer Digitally signed ballots can be authenticated using public information both as to origin who the voter is and as to content what the ballot says Vote manipulations are not possible as forging digital signatures is not feasible The most an adversary can do is to delete or duplicate votes An adversary can conceivably delete or duplicate votes even now with proxy voting If a congressperson can't submit a ballot they can't vote Detection and correction mechanisms can work for voting with digitally signed ballots as for proxy voting It is important to note that voters in this case congresspeople can check or audit that their votes are correctly recorded on the public web site Missing votes can be restored The approach sketched here bears many similarities to your current proxy voting procedures the public web site becomes the proxy for those voting remotely Indeed such a system should provide a smooth and secure extension of your current proxy voting procedures which need not be abandoned This sketch is intended only to show that it is possible to use technology to do remote non-secret voting in a secure manner other approaches are possible This concludes my testimony I would be happy to answer any questions you may have