Re: Firm invites experts to punch holes in ballot software
> Date: Wed, 07 Apr 2004 15:42:47 -0400
> From: Ian Grigg <[EMAIL PROTECTED]>
>
> It seems to me that the requirement for after-the-vote
> verification ("to prove your vote was counted") clashes
> rather directly with the requirement to protect voters
> from coercion ("I can't prove I voted in a particular
> way.") or other incentives-based attacks.
>
> You can have one, or the other, but not both, right?
What you can have is for the voter to be able to verify that his/her
vote was properly counted without being able to prove it to anybody
else.
In that case, an individual claim that a vote was improperly counted
wouldn't be convincing, but a wide enough outcry might trigger a
recount.
I think this would add unnecessary and undesired complexity to a
political election voting system, though.
Ray
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Firm invites experts to punch holes in ballot software
Brian McGroarty wrote:
On Wed, Apr 07, 2004 at 03:42:47PM -0400, Ian Grigg wrote:
It seems to me that the requirement for after-the-vote
verification ("to prove your vote was counted") clashes
rather directly with the requirement to protect voters
from coercion ("I can't prove I voted in a particular
way.") or other incentives-based attacks.
You can have one, or the other, but not both, right?
Suppose individual ballots weren't usable to verify a vote, but
instead confirming data was distributed across 2-3 future ballot
receipts such that all of them were needed to reconstruct another
ballot's vote.
It would then be possible to verify an election with reasonable
confidence if a large number of ballot receipts were collected, but
individual ballot receipts would be worthless.
If I'm happy to pervert the electoral
process, then I'm quite happy to do it
in busloads. In fact, this is a common
approach, busses are paid for by a party
candidate, the 1st stop is the polling
booth, the 2nd stop is the party booth.
In the west, this is done with old people's
homes, so I hear.
Now, one could say that we'd distribute
the verifiability over a random set of
pollees, but that would make the verification
impractically expensive.
iang
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Firm invites experts to punch holes in ballot software
On Wed, Apr 07, 2004 at 03:42:47PM -0400, Ian Grigg wrote:
> Trei, Peter wrote:
> >Frankly, the whole online-verification step seems like an
> >unneccesary complication.
>
> It seems to me that the requirement for after-the-vote
> verification ("to prove your vote was counted") clashes
> rather directly with the requirement to protect voters
> from coercion ("I can't prove I voted in a particular
> way.") or other incentives-based attacks.
>
> You can have one, or the other, but not both, right?
Suppose individual ballots weren't usable to verify a vote, but
instead confirming data was distributed across 2-3 future ballot
receipts such that all of them were needed to reconstruct another
ballot's vote.
It would then be possible to verify an election with reasonable
confidence if a large number of ballot receipts were collected, but
individual ballot receipts would be worthless.
signature.asc
Description: Digital signature
Re: Firm invites experts to punch holes in ballot software
On 1081373018 seconds since the Beginning of the UNIX epoch "Paul Zuefeldt" wrote: > >Maybe the receipt should only allow the voter to check that his vote has >been counted. To get the detail you could require him to appear in person >with his receipt AND a photo ID or some such, then only allow him to view >his detail -- not print it. I'd be slightly uncomfortable with this since the authorities should not have a mechanism by which they can discover for whom I voted. -- Roland Dowdeswell http://www.Imrryr.ORG/~elric/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Firm invites experts to punch holes in ballot software
Maybe the receipt should only allow the voter to check that his vote has been counted. To get the detail you could require him to appear in person with his receipt AND a photo ID or some such, then only allow him to view his detail -- not print it. Paul Zuefeldt - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, April 07, 2004 3:14 PM Subject: RE: Firm invites experts to punch holes in ballot software > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Trei, Peter > Sent: Wednesday, April 07, 2004 1:17 PM > [SNIP] > > Frankly, the whole online-verification step seems like an > unnecessary complication. > Except to those of us who don't trust the system. Implemented correctly it could be cheap and complications could be hidden from the voter. It could be cheaper - no need to pay people to do an audit when "the people" will do it for you. You only need a small fraction of "the people" to verify their votes to get a high level of confidence that the election is valid. You only need one failure to cast doubt on the election. This requires an un-forgeable receipt that cannot be used for coercion. Un-forgeable we have been doing for a while now with lots of different PK options. A receipt that cannot be used for coercion cannot give any indication to others of who you voted for. Right now this is a big complication (at least to me - I don't know how to create such a receipt that doesn't require mental gymnastics on the part of the voter). -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Firm invites experts to punch holes in ballot software
The principle here is that no one should be able to prove how
the voter voted, not even the voter.
Yes, votes need to be verified and voters are certainly one party
that can do it. However, you never want to allow the voter to
take any kind of "receipt" out of the voting station if that
receipt can be used to determine how the voter voted, e.g. by
matching a number or pattern on the ballot, even if to the voter.
Otherwise, vote selling and coercion cannot be prevented.
Cheers,
Ed Gerck
Ian Grigg wrote:
>
> Trei, Peter wrote:
> > Frankly, the whole online-verification step seems like an
> > unneccesary complication.
>
> It seems to me that the requirement for after-the-vote
> verification ("to prove your vote was counted") clashes
> rather directly with the requirement to protect voters
> from coercion ("I can't prove I voted in a particular
> way.") or other incentives-based attacks.
>
> You can have one, or the other, but not both, right?
>
> It would seem that the former must give way to the latter,
> at least in political voting. I.e., no verification after
> the vote.
>
> iang
>
> -
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Firm invites experts to punch holes in ballot software
> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Trei, Peter > Sent: Wednesday, April 07, 2004 1:17 PM > [SNIP] > > Frankly, the whole online-verification step seems like an > unnecessary complication. > Except to those of us who don't trust the system. Implemented correctly it could be cheap and complications could be hidden from the voter. It could be cheaper - no need to pay people to do an audit when "the people" will do it for you. You only need a small fraction of "the people" to verify their votes to get a high level of confidence that the election is valid. You only need one failure to cast doubt on the election. This requires an un-forgeable receipt that cannot be used for coercion. Un-forgeable we have been doing for a while now with lots of different PK options. A receipt that cannot be used for coercion cannot give any indication to others of who you voted for. Right now this is a big complication (at least to me - I don't know how to create such a receipt that doesn't require mental gymnastics on the part of the voter). -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Firm invites experts to punch holes in ballot software
> Ian Grigg[SMTP:[EMAIL PROTECTED] wrote:
>
> Trei, Peter wrote:
> > Frankly, the whole online-verification step seems like an
> > unneccesary complication.
>
> It seems to me that the requirement for after-the-vote
> verification ("to prove your vote was counted") clashes
> rather directly with the requirement to protect voters
> from coercion ("I can't prove I voted in a particular
> way.") or other incentives-based attacks.
>
> You can have one, or the other, but not both, right?
>
> It would seem that the former must give way to the latter,
> at least in political voting. I.e., no verification after
> the vote.
>
> iang
>
Yes, that seems to be the case. Note that in the current
(non computer) systems, we have no way to assure
that our votes actually contributed to the total, but the
procedural stuff of having mutually hostile observers to
the counting process makes deliberate discarding of
one side's votes less likely. (Non-deliberate losses -
such as the recent failure to record cards marked
with the wrong kind of pen - can still happen).
VoteHere, while they seem to be well-meaning, have
not solved the problem. Mercuri & Rivest have
described how to do it right; we just need someone
to buld or retrofit the machines appropriately.
Peter Trei
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Firm invites experts to punch holes in ballot software
Trei, Peter wrote:
Frankly, the whole online-verification step seems like an
unneccesary complication.
It seems to me that the requirement for after-the-vote
verification ("to prove your vote was counted") clashes
rather directly with the requirement to protect voters
from coercion ("I can't prove I voted in a particular
way.") or other incentives-based attacks.
You can have one, or the other, but not both, right?
It would seem that the former must give way to the latter,
at least in political voting. I.e., no verification after
the vote.
iang
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Firm invites experts to punch holes in ballot software
Major Variola (ret) wrote: >Peter, what would be wrong with having a machine in the booth that >prints >any valid receipt BUT is not connected to the voting system. "To vote >use the red machine; if you're being coerced you can use the blue >machine >to print as many receipts as intimidators." >A trade off between (mild) user complexity and the desire for receipts >(without coercion). The system described allows the user to take a reciept (which has only numbers on it) and use a website to determine that the vote was recorded correctly. A decoy receipt would also have to pass this test. Frankly, the whole online-verification step seems like an unneccesary complication. * Both real and decoy receipts would have to be in the database for verification - which bothers me a lot. * There seems to be no provision for recounts - what are they supposed to do - have everybody send in their receipts? How can you tell the decoys from the real? I give VoteHere kudos for releasing their source, but it doesnt solve the e-voting problem. Peter Trei - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Firm invites experts to punch holes in ballot software
>Firm invites experts to punch holes in ballot software > The company's software is designed to let voters verify that their ballots >were properly handled. It assigns random identification numbers to ballots >and candidates. After people vote, they get a receipt that shows which >candidates they chose--listed as numbers, not names. Voters can then use >the Internet and their ballot identification number to check that their >votes were correctly counted. This is kind of broken. Allowing the voter to get a receipt which they take away with them for verification may allow the voter to verify that their vote was recorded as cast, but also allows coercion and vote buying. To their credit, the creators thought of this, and suggest a partial procedural fix in the threat analysis document: P4. Let voters discard verification receipts in poll site trash can and let any voter take them Result: Buyer/coercer can't be sure voter generated verification receipt P5. Have stacks of random printed codebooks freely available in poll site Result: Vote buyer/coercer can't be sure captured codebook was used P6. Have photos of on-screen codebooks freely available on-line Result: Vote buyer/coercer can't be sure captured codebook was used The first problem, or course, is that a person under threat of coercion will need to present the coercer with a receipt showing exactly the mix of votes the coercer required. This is leads to a combinatorial explosion of fake receipts that need to be available. Having only one vote on each receipt might mitigate this, but it still gets really messy. Second, it's not clear how this protects against the coercer checking the ballot online - will every fake also be recorded in the system, so it passes the online check? Having both real and fake ballots in the verification server makes me very nervous. Its possible I've missed something - this is based on a quick glance through the online documents, but I don't see any advantage this system has over the much more discussed one where the reciept is printed in a human readable way, shown to the voter, but retained inside the machine as a backup for recounts. Just my private, personal opinion. Peter Trei - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Firm invites experts to punch holes in ballot software
Ah, the old hack-me "contest" arrives in the electronic voting business. I love the smell of burning snake-oil in the morning... Cheers, RAH --- <http://zdnet.com.com/2102-1105_2-5186016.html?tag=printthis> Firm invites experts to punch holes in ballot software By Robert Lemos CNET News.com April 6, 2004, 4:23 PM PT URL: http://zdnet.com.com/2100-1105-5186016.html VoteHere, a maker of security software for voting machines, published the source code for its product online in hopes of garnering additional analysis of its method for verifying the integrity of electronic votes. The company, which has patented its VHTi technology, wants comments, not competition, so it released the code and several documents to its Web site under a license that restricts use of the code to analysis for a period of 60 days. "We pride ourselves on being good students of cryptography," said Jim Adler, founder and CEO of the Bellevue, Wash., company. "We know there is no security through obscurity, so we want to be open." Revealing encryption algorithms for peer review is a standard practice in encryption circles and allows experts to poke holes in other people's technology. VoteHere hopes the additional scrutiny will prove that its technology is sound, Adler said. The company's software is designed to let voters verify that their ballots were properly handled. It assigns random identification numbers to ballots and candidates. After people vote, they get a receipt that shows which candidates they chose--listed as numbers, not names. Voters can then use the Internet and their ballot identification number to check that their votes were correctly counted. "It doesn't protect the system from compromise, but it detects when compromises happen," Adler said. "We are the barking dogs: If anything touches the ballots, it can be detected." The move comes as questions arise about the security of electronic and Internet voting. Though few problems with electronic voting machines arose on March 1, Super Tuesday, many problems have cropped up during other elections. Some states, Michigan among them, are going full bore to ballots cast on the Internet, despite some computer scientists' concerns that the Net is not secure enough to prevent election tampering. About 28 percent of Michigan voters cast their ballot online in February during that state's Democratic caucus. In the same month, the Department of Defense backed away from plans to conduct a trial that could have let the 6 million Americans abroad cast their vote online. VoteHere has had its own security issues to deal with as well. In December, the company called in the FBI to investigate a breach in the company's network. Adler said the investigation was ongoing and stressed that VoteHere's plans to release source code had been in the works since last summer. -- - R. A. Hettinga The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
