Hello -- David Chaum has a new system that is an optical one-time pad. It requires a printer that prints squares on both sides of a transparent 2-layer ballot. To the voter it looks like ordinary printing with a solid black border. Then s/he separates the layers, hands one in for counting and either tosses or takes home the other. Each layer by itself appears random (both border and text become a random hash), but several organizations successively applying their keys can reveal the totals while scrambling the individual identities. No individual organization, or even the polling place computers, can tamper with the result without a high probability of being caught; the voter can't prove how they voted, and the voter and each of the organizations can verify that their vote or handling was preserved. This is based on my recollection of his talk last Spring; see if he's posted something online. Howie Goodell -- Howie Goodell Controls, Embedded, and UI Software CompSci Doctoral Cand. UMass Lowell Howie@GoodL.org http://GoodL.org
Is is possible to use blinding (or other protocols) so that all votes are published, you can check that your vote is in there, and you (or anyone) can run the maths and verify the vote? Without being able to link people to votes without their consent.
Currently voting is trusted because political adversaries supervise the process. Previously the mechanics were, well, mechanical, ie, open for inspection. The current genre of voting machines.. well, you know the scam. And still reliant on a few adversarial human monitors.
Something like this: The day after elections a list of hex codes -votes- are published. You can find in that list the code that you received (on paper) when you voted, to verify that your vote counted. You can run an algorithm on any subset of codes, including just your own, and learn which candidate that code corresponds to. Everyone can run on the entire dataset, verifying the tally. You don't have to divulge which code is yours if you want it to remain secret. Perhaps the code could contain not only the intended vote, but a unique voter ID so that hexcodes could not be added to the dataset (cf dead people not allowed to vote except in Chicago) without setting off alarms. Perhaps anyone could verify that someone voted, or not, but could not figure who they voted for without their cooperation.
Apologies if I should know this, I haven't gotten my head around all the M of N, blinding, database translucency, etc protocols.
E3-I: This message has been scanned for viruses and dangerous content by UML's antivirus scanning services.