PunchScan voting protocol

John Denker jsd at av8n.com
Sat Dec 15 10:30:08 EST 2007 

On 12/13/2007 08:23 PM, Taral wrote:
> On 12/12/07, John Denker <jsd at av8n.com> wrote:
>> Several important steps in the process must be carried out in
>> secret, and if there is any leakage, there is unbounded potential
>> for vote-buying and voter coercion.
> 
> I've done quite a bit of work with this protocol. The protocol assumes
> the existence of an Election Authority. The Authority has the master
> keys required to generate certain data sets, and these keys give the
> Authority the ability to associate ballot numbers with votes. Note
> that this doesn't necessarily give the Authority the ability to
> associate people with votes.
> 
> There are no per-ballot keys, so there is no partial exposure risk.
> It's all-or-nothing.
> 
>> 1) It would be nice to see some serious cryptological protection
>> of election processes and results.
> 
>> 2b) In particular I don't think PunchScan really solves "the"
>> whole problem.
> 
> What is "the" whole problem? Please provide an attack model.

Well, that's the right question.  That's the sort of question
the punchscan team should be asking themselves, and answering
in more detail that I have heretofore seen.  What threats does
punchscan claim to defend against?  What threats does it leave
to be mitigated by other (non-punchscan) means?

As an example: Let's look at the plant where the ballots are
printed.  Suppose somebody attaches a tiny "spy camera" to
the frame of one of the printing presses, so as to obtain an
image of both parts of the two-part ballot (for some subset
of the ballots).

Obviously anybody who gets this information can defeat all the
cryptologic protections that the protocol is supposed to provide
(for that subset of the ballots).

  Note that the spy camera can be hiding in plain sight, in
  the guise of a "security camera".  Many election-related
  facilities are /required/ to have security cameras.

  There's a difference between mathematical cryptology and real-
  world security.

> There are no per-ballot keys, so there is no partial exposure risk.
> It's all-or-nothing.

It's bad luck to prove things that aren't true.  I just gave an
example of a "partial exposure risk", since some of the ballots
were seen by the spy camera and some weren't.

> The protocol assumes
> the existence of an Election Authority. 

Ah yes, but what is being assumed about the /properties/ of
this Election Authority?  Is the EA omnipresent and omnipotent,
like the FSM, or does it have boundaries and limitations?
For example, does it ever need to rely on employees or
subcontractors?

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list