voting

[Jerrold Leichter]

| 	"privacy" wrote:
| 	[good points about weaknesses in adversarial system deleted]
|
| > It's baffling that security experts today are clinging to the outmoded
| > and insecure paper voting systems of the past, where evidence of fraud,
| > error and incompetence is overwhelming.  Cryptographic voting protocols
| > have been in development for 20 years, and there are dozens of proposals
| > in the literature with various characteristics in terms of scalability,
| > security and privacy.  The votehere.net scheme uses advanced cryptographic
| > techniques including zero knowledge proofs and verifiable remixing,
| > the same method that might be used in next generation anonymous remailers.
| >
| Our anonymous corrospondent has not addressed the issues I raised in my
| initial post on the 7th:
|
| 1. The use of receipts which a voter takes from the voting place to 'verify'
| that their vote was correctly included in the total opens the way for voter
| coercion.
|
| 2. The proposed fix - a blizzard of decoy receipts - makes recounts based
| on the receipts impossible.
The VoteHere system is really quite clever, and you're attacking it for not
being the same as everything that went before.

Current systems - whether paper, machine, or whatever - provide no inherent
assurance that the vote you cast is the one that got counted.  Ballot boxes
can be lost, their contents can be replaced; machines can be rigged.  We
use procedural mechanisms to try to prevent such attacks.  It's impossible to
know how effective they are:  We have no real way to measure the effectiveness,
since there is no independent check on what they are controlling.  There are
regular allegations of all kinds of abuses, poll watchers or no.  And there
are plenty of suspect results.

| Answer this:
|
| 1. How does this system prevent voter coercion, while still allowing receipt
| based recounts?
a)  Receipts in the VoteHere system are *not* used for recounts.  No receipt
that a user takes away can possibly be used for that - the chances of you being
able to recover even half the receipts a day after the election are probably
about nil.  Receipts play exactly one role:  They allow a voter who wishes to
to confirm that his vote actually was tallied.

b)  We've raised "prevention of voter coercion" on some kind of pedestal.
The fact is, I doubt it plays much of a real role.  If someone wants to coerce
voters, they'll use the kind of goons who collect on gambling debts to do it.
The vast majority of people who they try to coerce will be too frightened to
even think about trying to fool them - and if they do try, will lie so
unconvincingly that they'll get beaten up anyway.  Political parties that want
to play games regularly bring busloads of people to polling places.  They
don't check how the people they bus in vote - they don't need to.  They know
who to pick.

However, if this really bothers you, a system like this lets you trade off
non-coercion and checkability:  When you enter the polling place, you draw a
random ball - say, using one of those machines they use for lotteries.  If the
ball is red, you get a receipt; if it's blue, the receipt is retained in a
sealed box (where it's useless to anyone except as some kind of cross-check of
number of votes cast, etc.)  No one but you gets to see the color of the ball.
Now, even if you are being coerced and get a red ball, you can simply discard
the receipt - the polling place should have a secure, private receptacle; or
maybe you can even push a button on the machine that says "Pretend I got a
blue ball" - and claim you got a blue ball.  The fraction of red and blue
balls is adjustable, depending on how you choose to value checkability vs.
non-coercion.

|		  Or do you have some mechanism by which I can
| personally verify every vote which went into the total, to make sure they
| are correct?
In VoteHere's system, you can't possibly verify that every vote that went into
the total was correctly handled.  You can verify that the votes *that the
system claims were recorded* are actually counted correctly.  And you can
verify that *your* vote was actually recorded as you cast it - something you
can't do today.  The point of the system is that any manipulation is likely to
hit someone who chooses to verify their vote, sooner or later - and it only
takes one such detected manipulation to start an inquiry.

Whether in practice people want this enough to take the trouble ... we'll have
to wait and see.

| 2. On what basis do you think the average voter should trust this system,
| seeing as it's based on mechanisms he or she cant personally verify?
On what basis should an average voter trust today's systems?  How many people
have any idea what safeguards are currently used?  How many have any personal
contact with the poll watchers on whom the system relies?  Could *you* verify,
in any meaningful sense, the proper handling of a vote you cast?  Could you
watch the machines/boxes/whatever being handled?  Unless you're in with the
local politicians, don't bet on it.

| 3. What chain of events do I have to beleive to trust that the code which
| is running in the machine is actually and correctly derived from the
| source code I've audited? I refer you to Ken Thompsons classic paper
| "Reflections on trusting trust", as well as the recent Diebold debacle
| with uncertified patches being loaded into the machine at the
| last moment.
Actually, it makes no difference at all.  The algorithms are public, and all
the data that goes into the calculations are published after the election.
Anyone can implement the algorithms themselves and re-run all the calculations.

There are conceivable attacks on the various random number generators, which
could be used to reveal information that the system is supposed to keep secret
- but I don't think they can be used to change the election results.  This is
one place where the system could use some kind of "hardening", but it seems
very amenable to procedural fixes - e.g., each major party contributes a
"randomization module" that it trusts, and the results are combined.  Each
randomization module is also allowed to say "I want this result checked", at
random every k votes or so, *after* the combiner has produced its value.  When
any randomization module says that, all the inputs and the combiners output
are printed, then not used.  These values are published after the election,
and a bad combiner will quickly reveal itself.

							-- Jerry