voting

[John Kelsey]

At 11:05 AM 4/9/04 -0400, Trei, Peter wrote:
...
>1. The use of receipts which a voter takes from the voting place to 'verify'
>that their vote was correctly included in the total opens the way for voter
>coercion.

I think the VoteHere scheme and David Chaum's scheme both claim to solve 
this problem.  The voting machine gives you a receipt that convinces you 
(based on other information you get) that your vote was counted as cast, 
but which doesn't leak any information at all about who you voted for to 
anyone else.  Anyone can take that receipt, and prove to themselves that 
your vote was counted (if it was) or was not counted (if it wasn't).  (This 
is based on attending a presentation of David's scheme at George Washington 
a few months ago, a conversation I had with a VoteHere guy, and some 
conversations and documents given to me by each.  I haven't tried to verify 
the protocols or proofs, but I'm convinced that all this is possible, 
modulo various assumptions.  There may be a dozen other people doing 
similar things, that I've simply not heard of.)

...
>1. How does this system prevent voter coercion, while still allowing receipt
>based recounts? Or do you have some mechanism by which I can
>personally verify every vote which went into the total, to make sure they
>are correct?

The way I understood these schemes, you can see the initial encrypted 
ballots (they're published), and then there are several rounds of 
publically verifiable shuffling and decryption by different TTPs.  After 
the last round of shuffling and decryption, you have raw votes.  So anyone 
can verify the count, assuming the set of initial encrypted ballots are 
legitimate.  And anyone can produce a receipt that can be shown to be one 
of those encrypted ballots, if it was counted.  That doesn't keep someone 
from stuffing the ballot box, but it does mean that anyone who throws away 
unfavorable votes is going to leave behind evidence, which can potentially 
call the whole vote into question.  The way I saw these schemes described, 
there was no recount capability, but the count was done in a completely 
public way.

It seems to me that this kind of scheme has a lot of potential for 
disruption attacks, since one compromised voting machine can be used to 
call any election into question.  But I could be missing something, as this 
is really not something I've spent a lot of time on....

>2. On what basis do you think the average voter should trust this system,
>seeing as it's based on mechanisms he or she cant personally verify?

I see your point, but there's an awful lot of any voting system that isn't 
being closely observed by the voters, or that isn't really well-understood 
by most of them.  It's not so clear to me that the average voter is going 
to walk away convinced that a voter-verified paper ballot, or a mark-sense 
ballot, or whatever other thing isn't going to somehow be subject to 
attack.  Or that if they do walk away convinced, that this has much to do 
with whether they *should* walk away convinced.

>3. What chain of events do I have to beleive to trust that the code which
>is running in the machine is actually and correctly derived from the
>source code I've audited? I refer you to Ken Thompsons classic paper
>"Reflections on trusting trust", as well as the recent Diebold debacle
>with uncertified patches being loaded into the machine at the
>last moment.

Yep, this is a big issue.  Which is why I think everyone with any sense 
agrees that we need some kind of independent audit trail, regardless of 
whether we're doing voting with computers, or with pens for punching out 
holes.  There are a bunch of ways to do this, one obvious and pretty 
easy-to-field choice being voter-verified paper ballots.

>This last is an important point - there is no way you can eliminate the
>requirement of election officials to behave legitimately. Since that
>requirement can't be done away with by technology, adding technology
>only adds more places the system can be compromised.

Huh?  Do you think the same is true of payment systems?  Those also 
ultimately require some humans to play by the rules, but it sure seems like 
a well-designed payment system can remove a lot of the ambiguity about who 
has violated the rules, and can outright prevent other kinds of rule 
violations.  And it seems to me that this is very similar to the situation 
with voting.

Touch screen voting (with the audio extensions) has at least one huge 
advantage over pen-and-paper schemes, because blind people can vote with 
them.  The VoteHere and Chaum schemes provide other benefits (a lot of 
kinds of misbehavior by the authorities are prevented by the design, though 
of course, not *all* possible misbehavior), at various costs in system 
complexity, dependence on lots of interacting systems that might not be all 
that reliable, ability to recover from some low level of fraud, etc.  Paper 
ballots printed behind glass provide a different set of tradeoffs.  And you 
could design twenty other sets of tradeoffs.  I'm not at all convinced that 
the way we optimize for best security is to minimize technology.

I agree that it's easy to get carried away by the elegance of your 
mathematics, or by the really spiffy blinking lights on the computer, and 
forget the essentials.  But technology and math aren't somehow inherently 
bad things to introduce to voting systems.  It just has to be done in a way 
that makes sense, right?

...
>I do think electronic voting machines are coming, and a good
>thing. But they should be promoted on the basis that they
>are easier to use, and fairer in presentation, then are manual
>methods. Promoting them on the basis that they are more
>secure, and less subject to vote tampering is simply false.

Less subject to vote tampering than the old machines with mechanical 
counters and levers?  That's not too hard.  Less subject to vote tampering 
than paper ballots marked by hand, that may be a little more of a 
challenge.  I think it's more fair to say that the attacks and threats will 
be different, and that the risk of a class break (work out the details of 
the attack once, then change votes all over the country) is seriously 
scary.  But it's sure not clear to me that adding computers to the mix must 
decrease security, or even must leave it unchanged.

>Peter Trei

--John Kelsey, kelsey.j at ix.netcom.com, who is definitely speaking only for 
himself.
PGP: FA48 3237 9AD5 30AC EEDD  BBC8 2A80 6948 4CAA F259


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com