Analyzing Physical Adversarial Example Threats to Machine Learning in Election Systems

Imagine a massive, high-stakes game of Connect the Dots, but instead of drawing a picture, you are casting a vote. In the United States, most people still use paper ballots where they fill in little bubbles next to a candidate's name. To count these millions of ballots quickly, election officials are starting to use "smart scanners" powered by Machine Learning (AI). These AI models look at a photo of a ballot and decide, "Oh, this bubble is filled, so that's a vote for Candidate A."

This paper is a security audit asking a scary question: What if a hacker could trick the AI into seeing a vote that isn't there, without the human eye noticing?

Here is the breakdown of their findings, using some everyday analogies.

1. The "Invisible Ink" Attack

The researchers imagined a villain who manages to hack the ballot printers. Before the ballots are even handed to voters, the hacker adds a tiny amount of "digital noise" to the blank bubbles.

The Trick: To a human, the bubble looks perfectly blank. It's like a piece of paper with invisible ink that only a specific camera can see.
The Result: When the AI scanner looks at the paper, the "invisible ink" makes the AI think the bubble is filled. The voter didn't vote, but the machine counts a vote anyway.

2. The "Magic Number" (How many fake votes do you need?)

The first part of the paper is like a mathematical crystal ball. The authors built a formula to answer: "How many of these invisible-ink ballots do we need to print to flip an election?"

The Analogy: Imagine a race between two horses, Bob and Alice. Bob is winning by a small margin. The hacker wants Alice to win.
The paper calculates that if the race is close, the hacker doesn't need to hack every ballot. They only need to hack a specific, small percentage (like 1% or 2%) of the total ballots.
The Takeaway: If the election is tight, a relatively small number of "tricked" ballots can change the winner. The paper gives officials a way to calculate exactly how many fake votes would be needed to cause a disaster.

3. The "Digital vs. Physical" Surprise

This is the most interesting part of the paper. The researchers tested six different types of "invisible ink" (mathematically called norm attacks). They tested them in two worlds:

World A (The Digital World): The hacker sends a digital file to the computer. No printer is involved.
World B (The Physical World): The hacker prints the ballots on a real printer, then scans them back in, just like a real election.

The Big Twist:

In the Digital World: The most effective tricks were the ones that spread noise evenly across the image (like sprinkling salt everywhere).
In the Physical World: The "salt" trick failed! Why? Because real printers are messy. They smudge, they have grainy textures, and they don't print perfectly.
The Winner in the Real World: The most effective attack was a different type of noise (called L1) that acted more like focusing a laser on specific tiny spots.
The Lesson: You cannot just test security on a computer screen. It's like testing a parachute by dropping it from a chair in your living room. You have to test it in the wind and rain (the real printer) to see if it actually works. The paper proves that attacks that look scary on a screen might be harmless in real life, and vice versa.

4. The "Complexity Trap"

The researchers tested four different AI models, ranging from a simple one (like a basic calculator) to a super-complex one (like a supercomputer).

The Expectation: You'd think the super-complex AI would be harder to trick.
The Reality: The complex AI was actually easier to trick in some cases.
The Analogy: Think of a complex AI like a very sophisticated security guard who has memorized every rule in the book. A hacker can sometimes trick them by exploiting a weird, specific loophole. A simple guard (a simpler model) might just say, "That looks suspicious, I'm not letting it through," and be more robust against these specific tricks.

5. The "Denoising" Solution

The paper also tried to fix the problem. They created a "cleaning filter" (like a photo editor that removes scratches) to clean up the scanned images before the AI looked at them.

The Result: This helped a lot! It made the AI much harder to trick. It's like putting a clear, protective glass over the ballot before scanning it.

Summary: What does this mean for us?

This paper is a wake-up call for election officials.

AI is powerful but fragile: If we use AI to count votes, we must know exactly how many fake votes it takes to break the system.
Don't trust the screen: You can't just test election security on a computer. You have to print the ballots and scan them, because the real world (ink, paper, scanners) changes how the attacks work.
Better defenses exist: By understanding these "invisible ink" tricks, we can build better scanners and cleaning filters to stop them before they happen.

The authors aren't trying to break elections; they are trying to find the holes in the fence so we can fix them before a real bad actor shows up. They even made their "tools" (code) available so other security experts can try to break it too, making the system stronger for everyone.

1. Problem Statement

The paper addresses the security risks associated with using Machine Learning (ML) models for classifying paper ballots in U.S. elections. While ML models have demonstrated high accuracy (>99%) in digital ballot classification, they are vulnerable to adversarial examples—inputs modified with imperceptible noise ( $\delta$ ) that cause misclassification by the model while remaining recognizable to humans.

The core problem is twofold:

Quantifying Impact: It is unclear how many adversarial ballots must be physically printed to flip the outcome of a real-world election.
Physical vs. Digital Gap: Previous research focused on digital attacks (specifically $l_\infty$ norm). It is an open question which type of adversarial attack (defined by different mathematical norms) remains most effective when the digital perturbation is translated into the physical world via printing and scanning, a process that introduces noise and non-deterministic distortions.

2. Methodology

The authors employ a hybrid approach combining probabilistic modeling, digital simulation, and extensive physical experimentation.

A. Probabilistic Election Attack Framework

The authors derive a mathematical framework to calculate the proportion of compromised ballots ( $p_c$ ) required to flip an election result.

Model: They model the election as a probabilistic process with $N$ voters and two candidates (A and B).
Variables: The framework incorporates the true vote margin ( $\Delta$ ), the probability of voting for a candidate ( $p_b$ ), and the attacker's desired confidence level ($1-\alpha$).
Attack Logic: The attacker adds imperceptible noise to blank bubbles to force the classifier to mark them as filled for their preferred candidate. The model accounts for "overvote" scenarios (where a voter fills a bubble that already has adversarial noise), assuming a worst-case scenario where such ballots are discarded.
Output: A closed-form solution (Equation 8) that determines the minimum number of adversarial ballots needed to change the election outcome with a specific statistical confidence.

B. Digital Adversarial Analysis

Models: Four architectures were trained: Support Vector Machine (SVM), VGG-16, ResNet-20, and a Vision Transformer (CaiT).
Datasets: Two datasets were used:
- Bubbles: Only blank and filled bubbles.
- Combined: Includes blank/filled bubbles plus "marginal marks" (pen rests, scribbles, crosses) to simulate real-world voter behavior.
Attacks: Six different norm-based attacks were evaluated using Auto Projected Gradient Descent (APGD) and Projected Gradient Descent (PGD):
- $l_\infty$ -APGD, $l_2$ -APGD, $l_1$ -APGD
- $l_0$ PGD, $l_0 + l_\infty$ PGD, $l_0 + \sigma$ -map PGD
Parameters: Attacks were tested across various noise budgets ( $\epsilon$ ) to establish "imperceptible" thresholds based on human expert review.

C. Physical Realization (Printing and Scanning)

Pipeline: 144,000 adversarial examples were physically realized.
- Printing: Adversarial images were printed on HP LaserJet Pro MFP 3101fdw laser printers.
- Scanning: Printed sheets were scanned using a Ricoh Fujitsu fi-7160 high-fidelity scanner.
- Preprocessing: Images underwent alignment (ECC), segmentation, and a custom U-Net denoising pipeline to mitigate printing artifacts before re-evaluation.
Scope: Only models trained on the "Combined" dataset (which includes marginal marks) were tested in the physical domain, as these are required for real-world applicability.

3. Key Contributions

Probabilistic Election Framework: The paper provides the first generalized probabilistic framework to quantify the number of adversarial ballots needed to flip an election, moving beyond anecdotal "close race" analyses to explicit statistical quantification.
Digital vs. Physical Discrepancy: The study empirically demonstrates a significant "analysis gap." Attacks that are most effective in the digital domain ( $l_2$ and $l_\infty$ ) are not necessarily the most effective in the physical domain.
Physical Attack Evaluation: The authors conducted a large-scale physical experiment (144,000 examples) evaluating six distinct norm attacks across four different model architectures, establishing a new benchmark for voting system security.
Dataset Advancement: The work utilizes and validates an updated dataset ("UConn Bubbles with Marginal Marks") that includes synthetic voter marginal marks, addressing a gap in prior datasets that lacked these real-world complexities.

4. Key Results

Digital Domain Results

Most Effective Attacks: In the digital domain, $l_2$ and $l_\infty$ attacks were generally the most effective, often reducing model robustness to near 0% for complex models (VGG, ResNet, CaiT).
Model Sensitivity: Complex models (Transformers, CNNs) were highly vulnerable to $l_2$ and $l_\infty$ attacks, while simpler models (SVM) showed mixed robustness.
Dataset Importance: Models trained only on clean bubbles failed to recognize marginal marks accurately. Models trained on the "Combined" dataset achieved >99% accuracy on clean data, proving ML is viable for real-world ballots if trained correctly.

Physical Domain Results

Shift in Effectiveness: The most effective attacks changed in the physical domain.
- $l_1$ -APGD became the most effective attack for three of the four models (VGG, ResNet, CaiT).
- $l_2$ -APGD remained most effective for the SVM model.
- $l_\infty$ attacks, which were dominant digitally, performed significantly worse physically.
Model Robustness: The CaiT (Transformer) model was the least robust overall in the physical domain. This indicates that increasing model complexity (e.g., using Transformers) does not inherently improve security against physical adversarial attacks.
Metric Correlation: Traditional signal metrics (RMSE, KL Divergence, SSIM) used to measure the difference between digital and physical noise did not correlate with attack success. For instance, $l_0$ attacks had the lowest RMSE (closest physical match to digital) but were ineffective, while $l_1$ attacks had higher deviation but were most successful.

5. Significance and Implications

Security Policy: The findings suggest that election security standards relying solely on digital robustness testing are insufficient. Defense mechanisms must be validated through physical printing and scanning experiments.
Attack Vector: The discovery that $l_1$ attacks are highly effective in the physical domain provides a new vector for potential attackers. It implies that sparse, localized perturbations (characteristic of $l_1$ ) survive the printing/scanning process better than dense, uniform noise ( $l_\infty$ ).
Feasibility of Election Flipping: The probabilistic framework allows election officials to estimate the scale of a physical attack required to alter results. For example, in a close race, the number of compromised ballots needed might be within the logistical reach of a determined adversary with access to ballot printers.
Future Research: The paper establishes that "digital-only" security evaluations are flawed for physical systems. Future defense designs for voting systems must account for the non-deterministic noise introduced by hardware (printers/scanners).

In conclusion, the paper demonstrates that while ML is a promising tool for ballot tabulation, it introduces a tangible, quantifiable risk of election manipulation via physical adversarial examples, with the most effective attack vectors differing significantly between digital simulations and physical reality.