voting
John Kelsey
kelsey.j at ix.netcom.com
Thu Apr 15 01:07:31 EDT 2004
At 11:05 AM 4/9/04 -0400, Trei, Peter wrote:
...
>1. The use of receipts which a voter takes from the voting place to 'verify'
>that their vote was correctly included in the total opens the way for voter
>coercion.
I think the VoteHere scheme and David Chaum's scheme both claim to solve
this problem. The voting machine gives you a receipt that convinces you
(based on other information you get) that your vote was counted as cast,
but which doesn't leak any information at all about who you voted for to
anyone else. Anyone can take that receipt, and prove to themselves that
your vote was counted (if it was) or was not counted (if it wasn't). (This
is based on attending a presentation of David's scheme at George Washington
a few months ago, a conversation I had with a VoteHere guy, and some
conversations and documents given to me by each. I haven't tried to verify
the protocols or proofs, but I'm convinced that all this is possible,
modulo various assumptions. There may be a dozen other people doing
similar things, that I've simply not heard of.)
...
>1. How does this system prevent voter coercion, while still allowing receipt
>based recounts? Or do you have some mechanism by which I can
>personally verify every vote which went into the total, to make sure they
>are correct?
The way I understood these schemes, you can see the initial encrypted
ballots (they're published), and then there are several rounds of
publically verifiable shuffling and decryption by different TTPs. After
the last round of shuffling and decryption, you have raw votes. So anyone
can verify the count, assuming the set of initial encrypted ballots are
legitimate. And anyone can produce a receipt that can be shown to be one
of those encrypted ballots, if it was counted. That doesn't keep someone
from stuffing the ballot box, but it does mean that anyone who throws away
unfavorable votes is going to leave behind evidence, which can potentially
call the whole vote into question. The way I saw these schemes described,
there was no recount capability, but the count was done in a completely
public way.
It seems to me that this kind of scheme has a lot of potential for
disruption attacks, since one compromised voting machine can be used to
call any election into question. But I could be missing something, as this
is really not something I've spent a lot of time on....
>2. On what basis do you think the average voter should trust this system,
>seeing as it's based on mechanisms he or she cant personally verify?
I see your point, but there's an awful lot of any voting system that isn't
being closely observed by the voters, or that isn't really well-understood
by most of them. It's not so clear to me that the average voter is going
to walk away convinced that a voter-verified paper ballot, or a mark-sense
ballot, or whatever other thing isn't going to somehow be subject to
attack. Or that if they do walk away convinced, that this has much to do
with whether they *should* walk away convinced.
>3. What chain of events do I have to beleive to trust that the code which
>is running in the machine is actually and correctly derived from the
>source code I've audited? I refer you to Ken Thompsons classic paper
>"Reflections on trusting trust", as well as the recent Diebold debacle
>with uncertified patches being loaded into the machine at the
>last moment.
Yep, this is a big issue. Which is why I think everyone with any sense
agrees that we need some kind of independent audit trail, regardless of
whether we're doing voting with computers, or with pens for punching out
holes. There are a bunch of ways to do this, one obvious and pretty
easy-to-field choice being voter-verified paper ballots.
>This last is an important point - there is no way you can eliminate the
>requirement of election officials to behave legitimately. Since that
>requirement can't be done away with by technology, adding technology
>only adds more places the system can be compromised.
Huh? Do you think the same is true of payment systems? Those also
ultimately require some humans to play by the rules, but it sure seems like
a well-designed payment system can remove a lot of the ambiguity about who
has violated the rules, and can outright prevent other kinds of rule
violations. And it seems to me that this is very similar to the situation
with voting.
Touch screen voting (with the audio extensions) has at least one huge
advantage over pen-and-paper schemes, because blind people can vote with
them. The VoteHere and Chaum schemes provide other benefits (a lot of
kinds of misbehavior by the authorities are prevented by the design, though
of course, not *all* possible misbehavior), at various costs in system
complexity, dependence on lots of interacting systems that might not be all
that reliable, ability to recover from some low level of fraud, etc. Paper
ballots printed behind glass provide a different set of tradeoffs. And you
could design twenty other sets of tradeoffs. I'm not at all convinced that
the way we optimize for best security is to minimize technology.
I agree that it's easy to get carried away by the elegance of your
mathematics, or by the really spiffy blinking lights on the computer, and
forget the essentials. But technology and math aren't somehow inherently
bad things to introduce to voting systems. It just has to be done in a way
that makes sense, right?
...
>I do think electronic voting machines are coming, and a good
>thing. But they should be promoted on the basis that they
>are easier to use, and fairer in presentation, then are manual
>methods. Promoting them on the basis that they are more
>secure, and less subject to vote tampering is simply false.
Less subject to vote tampering than the old machines with mechanical
counters and levers? That's not too hard. Less subject to vote tampering
than paper ballots marked by hand, that may be a little more of a
challenge. I think it's more fair to say that the attacks and threats will
be different, and that the risk of a class break (work out the details of
the attack once, then change votes all over the country) is seriously
scary. But it's sure not clear to me that adding computers to the mix must
decrease security, or even must leave it unchanged.
>Peter Trei
--John Kelsey, kelsey.j at ix.netcom.com, who is definitely speaking only for
himself.
PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list