RE: Firm invites experts to punch holes in ballot software
Major Variola (ret) wrote:
Peter, what would be wrong with having a machine in the booth that prints any valid receipt BUT is not connected to the voting system. "To vote use the red machine; if you're being coerced you can use the blue machine to print as many receipts as intimidators."
A trade off between (mild) user complexity and the desire for receipts (without coercion).
The system described allows the user to take a reciept (which has only numbers on it) and use a website to determine that the vote was recorded correctly. A decoy receipt would also have to pass this test. Frankly, the whole online-verification step seems like an unneccesary complication. * Both real and decoy receipts would have to be in the database for verification - which bothers me a lot. * There seems to be no provision for recounts - what are they supposed to do - have everybody send in their receipts? How can you tell the decoys from the real? I give VoteHere kudos for releasing their source, but it doesnt solve the e-voting problem. Peter Trei
Trei, Peter wrote:
Frankly, the whole online-verification step seems like an unneccesary complication.
It seems to me that the requirement for after-the-vote verification ("to prove your vote was counted") clashes rather directly with the requirement to protect voters from coercion ("I can't prove I voted in a particular way.") or other incentives-based attacks. You can have one, or the other, but not both, right? It would seem that the former must give way to the latter, at least in political voting. I.e., no verification after the vote. iang
The principle here is that no one should be able to prove how the voter voted, not even the voter. Yes, votes need to be verified and voters are certainly one party that can do it. However, you never want to allow the voter to take any kind of "receipt" out of the voting station if that receipt can be used to determine how the voter voted, e.g. by matching a number or pattern on the ballot, even if to the voter. Otherwise, vote selling and coercion cannot be prevented. Cheers, Ed Gerck Ian Grigg wrote:
Trei, Peter wrote:
Frankly, the whole online-verification step seems like an unneccesary complication.
It seems to me that the requirement for after-the-vote verification ("to prove your vote was counted") clashes rather directly with the requirement to protect voters from coercion ("I can't prove I voted in a particular way.") or other incentives-based attacks.
You can have one, or the other, but not both, right?
It would seem that the former must give way to the latter, at least in political voting. I.e., no verification after the vote.
iang
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
On Wed, Apr 07, 2004 at 03:42:47PM -0400, Ian Grigg wrote:
Trei, Peter wrote:
Frankly, the whole online-verification step seems like an unneccesary complication.
It seems to me that the requirement for after-the-vote verification ("to prove your vote was counted") clashes rather directly with the requirement to protect voters from coercion ("I can't prove I voted in a particular way.") or other incentives-based attacks.
You can have one, or the other, but not both, right?
Suppose individual ballots weren't usable to verify a vote, but instead confirming data was distributed across 2-3 future ballot receipts such that all of them were needed to reconstruct another ballot's vote. It would then be possible to verify an election with reasonable confidence if a large number of ballot receipts were collected, but individual ballot receipts would be worthless. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Brian McGroarty wrote:
On Wed, Apr 07, 2004 at 03:42:47PM -0400, Ian Grigg wrote:
It seems to me that the requirement for after-the-vote verification ("to prove your vote was counted") clashes rather directly with the requirement to protect voters from coercion ("I can't prove I voted in a particular way.") or other incentives-based attacks.
You can have one, or the other, but not both, right?
Suppose individual ballots weren't usable to verify a vote, but instead confirming data was distributed across 2-3 future ballot receipts such that all of them were needed to reconstruct another ballot's vote.
It would then be possible to verify an election with reasonable confidence if a large number of ballot receipts were collected, but individual ballot receipts would be worthless.
If I'm happy to pervert the electoral process, then I'm quite happy to do it in busloads. In fact, this is a common approach, busses are paid for by a party candidate, the 1st stop is the polling booth, the 2nd stop is the party booth. In the west, this is done with old people's homes, so I hear. Now, one could say that we'd distribute the verifiability over a random set of pollees, but that would make the verification impractically expensive. iang
Date: Wed, 07 Apr 2004 15:42:47 -0400 From: Ian Grigg <iang@systemics.com>
It seems to me that the requirement for after-the-vote verification ("to prove your vote was counted") clashes rather directly with the requirement to protect voters from coercion ("I can't prove I voted in a particular way.") or other incentives-based attacks.
You can have one, or the other, but not both, right?
What you can have is for the voter to be able to verify that his/her vote was properly counted without being able to prove it to anybody else. In that case, an individual claim that a vote was improperly counted wouldn't be convincing, but a wide enough outcry might trigger a recount. I think this would add unnecessary and undesired complexity to a political election voting system, though. Ray
At 1:16 PM -0400 4/7/04, Trei, Peter wrote:
I give VoteHere kudos for releasing their source, but it doesnt solve the e-voting problem.
As far as I can figure, the only way to solve the "voting problem" is to sell your votes. Frankly, I think the "voting problem" is a boundry problem between financial cryptography and political cryptography, the latter of which I could give a damn about, except for purposes of low comedy. Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
participants (6)
-
Brian McGroarty -
Ed Gerck -
Ian Grigg -
R. A. Hettinga -
R. Hirschfeld -
Trei, Peter