"privacy" wrote: [good points about weaknesses in adversarial system deleted]
It's baffling that security experts today are clinging to the outmoded and insecure paper voting systems of the past, where evidence of fraud, error and incompetence is overwhelming. Cryptographic voting protocols have been in development for 20 years, and there are dozens of proposals in the literature with various characteristics in terms of scalability, security and privacy. The votehere.net scheme uses advanced cryptographic techniques including zero knowledge proofs and verifiable remixing, the same method that might be used in next generation anonymous remailers.
Our anonymous corrospondent has not addressed the issues I raised in my initial post on the 7th: 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. 2. The proposed fix - a blizzard of decoy receipts - makes recounts based on the receipts impossible.
Given that so many jurisdictions are moving towards electronic voting machines, this is a perfect opportunity to introduce mathematical protections instead of relying so heavily on human beings. I would encourage observers on these lists to familiarize themselves with the cryptographic literature and the heavily technical protocol details at http://www.votehere.com/documents.html before passing judgement on these technologies.
Asking the readers of this list to 'familiarize themselves with the cryptographic literature', is, in many cases, a little like telling Tiger Woods that he needs to familiarize himself with the rules of golf. We know the 'advanced cryptographic techniques' you refer to. We also know what their limitations - what they can and cannot do. This is not the appropriate forum to try to say "trust me". Answer this: 1. How does this system prevent voter coercion, while still allowing receipt based recounts? Or do you have some mechanism by which I can personally verify every vote which went into the total, to make sure they are correct? 2. On what basis do you think the average voter should trust this system, seeing as it's based on mechanisms he or she cant personally verify? 3. What chain of events do I have to beleive to trust that the code which is running in the machine is actually and correctly derived from the source code I've audited? I refer you to Ken Thompsons classic paper "Reflections on trusting trust", as well as the recent Diebold debacle with uncertified patches being loaded into the machine at the last moment. This last is an important point - there is no way you can eliminate the requirement of election officials to behave legitimately. Since that requirement can't be done away with by technology, adding technology only adds more places the system can be compromised. Based on the tone of this letter, I'd hazard a guess that 'privacy' has a vested interest in VoteHere. If this true, it's a little odd that they are willing to expose their source code, but not their name. We don't bite, unless the victim deserves it :-) Opening your source is an admirable first step - why not step out of the shadows so we can help you make your system better? I fear a system which does not have a backup mechanism that the average voter can understand. While it's true that non-electronic systems are subject to compromise, so are electronic ones, regardless of their use of ZK proofs, or 'advanced cryptographic techniques". I do think electronic voting machines are coming, and a good thing. But they should be promoted on the basis that they are easier to use, and fairer in presentation, then are manual methods. Promoting them on the basis that they are more secure, and less subject to vote tampering is simply false. Peter Trei Cryptoengineer RSA Security Disclaimer: The above represents my personal opinions only.