Fwd: Fwd: Fwd: PunchScan voting protocol
I've attached below Rick's reply to this thread. Rick Carback is a member of the PunchScan team. - Taral -- Forwarded message -- From: Rick Carback Date: Dec 16, 2007 12:01 PM Subject: Re: Fwd: Fwd: PunchScan voting protocol I think there are some misconceptions/assumptions in play here about the privacy available in current systems. Punchscan was designed to provide an unconditional levels of integrity into the voting process, not to improve privacy over the status quo. Election officials, ultimately, are still responsible for protecting the privacy of voters. The cryptography is meant as a tool to be used by election officials that prevents anyone from arbitrarily changing vote totals without getting caught. I do not think that Punchscan is noticeably worse than current systems in terms of privacy protection and it is still unclear to me if there is any real difference at all. As for specific responses: "Well, that's the right question. That's the sort of question the punchscan team should be asking themselves, and answering in more detail that I have heretofore seen. What threats does punchscan claim to defend against? What threats does it leave to be mitigated by other (non-punchscan) means?" We have talked about this stuff and published it -- we're still talking about it, see: http://punchscan.org/papers/ibs_carback.pdf http://punchscan.org/papers/receipts_clark.pdf http://punchscan.org/papers/patterns_popoveniuc http://punchscan.org/papers/pip_essex.pdf There will be more publications in the future. Also, you might want to check out our VoComp submission: http://punchscan.org/vocomp.php Unlike any other team at the competition, we were more careful with our claims and our analysis of our system. Part of that is the reason why we won. "As an example: Let's look at the plant where the ballots are printed. Suppose somebody attaches a tiny "spy camera" to the frame of one of the printing presses, so as to obtain an image of both parts of the two-part ballot (for some subset of the ballots)." In a traditional system, you can put the spy cameras in the polling place so you can watch each voter vote. That will allow you to *directly* target and identify each voter in a location where election authorities exert *less * control over the surrounding environment. By contrast, attacking the printer provides you with a decryption of the ballots but not who used them -- you still have to go out and find each voter, and the only reliable way to do that is to catch them in the act of voting, because they could have got rid of the receipt or swapped it (Alternatively, receipts could be given to third parties, e.g. LWV, this is what EPIC suggests). In that sense, this example is unrealistic. This is especially true when you include machines in polling places that know how voters vote (in punchscan, they don't), and the myriad of ways a voter could expose their choices to a coercer. See: http://punchscan.org/blog/?p=6 http://punchscan.org/blog/?p=7 The comment about "partial exposure risk" looks like a misunderstanding, so I'll ignore it "Ah yes, but what is being assumed about the /properties/ of this Election Authority? Is the EA omnipresent and omnipotent, like the FSM, or does it have boundaries and limitations? For example, does it ever need to rely on employees or subcontractors?" This information is in the original papers, but the EA is responsible for generating the data, supervising the printing and packaging (which should include tamper-evident protections), and coordinating the shipment of ballots to polling places. Essentially, all the things a central authority would be responsible for in a current optical scan system. It would also be responsible for generating keys for the scanning equipment and controlling authentication to the bulletin board, but that is all part of the bulletin board component that could be generic to any E2E system. I might post this to the blog, but I am sort of busy. I will let you know when/if I do. -R - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PunchScan voting protocol
On 12/13/2007 08:23 PM, Taral wrote: > On 12/12/07, John Denker <[EMAIL PROTECTED]> wrote: >> Several important steps in the process must be carried out in >> secret, and if there is any leakage, there is unbounded potential >> for vote-buying and voter coercion. > > I've done quite a bit of work with this protocol. The protocol assumes > the existence of an Election Authority. The Authority has the master > keys required to generate certain data sets, and these keys give the > Authority the ability to associate ballot numbers with votes. Note > that this doesn't necessarily give the Authority the ability to > associate people with votes. > > There are no per-ballot keys, so there is no partial exposure risk. > It's all-or-nothing. > >> 1) It would be nice to see some serious cryptological protection >> of election processes and results. > >> 2b) In particular I don't think PunchScan really solves "the" >> whole problem. > > What is "the" whole problem? Please provide an attack model. Well, that's the right question. That's the sort of question the punchscan team should be asking themselves, and answering in more detail that I have heretofore seen. What threats does punchscan claim to defend against? What threats does it leave to be mitigated by other (non-punchscan) means? As an example: Let's look at the plant where the ballots are printed. Suppose somebody attaches a tiny "spy camera" to the frame of one of the printing presses, so as to obtain an image of both parts of the two-part ballot (for some subset of the ballots). Obviously anybody who gets this information can defeat all the cryptologic protections that the protocol is supposed to provide (for that subset of the ballots). Note that the spy camera can be hiding in plain sight, in the guise of a "security camera". Many election-related facilities are /required/ to have security cameras. There's a difference between mathematical cryptology and real- world security. > There are no per-ballot keys, so there is no partial exposure risk. > It's all-or-nothing. It's bad luck to prove things that aren't true. I just gave an example of a "partial exposure risk", since some of the ballots were seen by the spy camera and some weren't. > The protocol assumes > the existence of an Election Authority. Ah yes, but what is being assumed about the /properties/ of this Election Authority? Is the EA omnipresent and omnipotent, like the FSM, or does it have boundaries and limitations? For example, does it ever need to rely on employees or subcontractors? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PunchScan voting protocol
On 12/12/07, John Denker <[EMAIL PROTECTED]> wrote: > Several important steps in the process must be carried out in > secret, and if there is any leakage, there is unbounded potential > for vote-buying and voter coercion. I've done quite a bit of work with this protocol. The protocol assumes the existence of an Election Authority. The Authority has the master keys required to generate certain data sets, and these keys give the Authority the ability to associate ballot numbers with votes. Note that this doesn't necessarily give the Authority the ability to associate people with votes. There are no per-ballot keys, so there is no partial exposure risk. It's all-or-nothing. > 1) It would be nice to see some serious cryptological protection > of election processes and results. > 2b) In particular I don't think PunchScan really solves "the" > whole problem. What is "the" whole problem? Please provide an attack model. -- Taral <[EMAIL PROTECTED]> "Please let me know if there's any further trouble I can give you." -- Unknown - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
PunchScan voting protocol
Hi Folks -- I was wondering to what extent the folks on this list have taken a look the PunchScan voting scheme: http://punchscan.org/ The site makes the following claims: >> End-to-end cryptographic independent verification, or E2E, is a >> mechanism built into an election that allows voters to take a >> piece of the ballot home with them as a receipt. This receipt >> does not allow voters to prove to others how they voted, but it >> does permit them to: >> >> * Verify that they have properly indicated their votes to >> election officials (cast-as-intended). >> * Verify with extremely high assurance that all votes were >> counted properly (counted-as-cast). >> >> Voters can check that their vote actually made it to the tally, >> and that the election was conducted fairly. Those seem at first glance to be a decent set of claims, from a public-policy point of view. If somebody would prefer a different set of claims, please explain. PunchScan contains some nifty crypto, but IMHO this looks like a classic case of too much crypto and not enough real security. I am particularly skeptical of one of the FAQ-answers http://punchscan.org/faq-protections.php#5 Several important steps in the process must be carried out in secret, and if there is any leakage, there is unbounded potential for vote-buying and voter coercion. The Boss can go to each voter and make the usual silver-or-lead proposition: Vote as I say, and then show me your voting receipt. I'll give you ten dollars. But if I find out you voted against me, I'll kill you. The voter cannot afford to take the chance that even a small percentage of the ballot-keys leak out. 1) It would be nice to see some serious cryptological protection of election processes and results. 2a) I don't think we're there yet. 2b) In particular I don't think PunchScan really solves "the" whole problem. 3) I'd love to be wrong about item (2). Does anybody see a way to close the gaps? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]