Slashdot Mirror

FFS, doesn't anyone do any research before posting stories? 60 seconds of research would turn up the Wikipedia entry on End-to-end audible voting systems. The problem of being able to verify that your vote is recorded as you intended without revealing the actual content of your vote has been solved by several teams. The ones that seem to have the best handle on things are Scantegrity, Pret-a-Voter, and Punchscan (the predecessor of Scantegrity) .

Using Bitcoin (which in fact has anti-anonymity properties) as an engine for voting is like attaching a tractor to a horse carriage. It may get you where you want to go, but it's nothing like a proper motor vehicle.

--Paul

One example is Punchscan, a system where you vote by marking your choice on a double sheet of paper with holes punched through the top sheet so that you simultaneously mark both sheets. The top sheet, which has the candidates' names on it, is destroyed, the other is scanned and then taken home. The sheets you take home doesn't have the names of the candidates on them (they are referred to by randomly ordered letters), so nobody can tell who you voted for, but you can later look up the scanned version online to verify that the markings match and your vote was counted.

http://punchscan.org/

Fortunately, if they stick to their 2006 decision, this can't affect Quebec, who have banned all future ideas related to electronic voting.

On a related note, the only eVoting system I've seen that I would actually trust is Punchscan... note however that it only allows you to later verify that your vote was cast and counted correctly when you come home from the polls. It's not intended for internet voting, which comes with a whole extra set of problems.

So is this basically assuming that the Q table will never get leaked? *confused*

Very good question. It took me some time to dig into it to figure out the answer.

The answer is yes. The system assumes that the full contents of the tables will never get leaked. Table P is never revealed at all and table Q is partially revealed according to a specific scheme. Access to the full contents of Q, R and S allows the reconstruction of P. Access to P reveals the structure of all ballots.

Improper access to the contents of the tables, plus access to a voter's verification codes reveals who that voter voted for.

The authors' solution to this is in assumption 5 of section 5.2.1: "Election officials use a special trusted computer workstation (as described in [14]) to enforce the privacy of the tables of confirmation codes."

The secure diskless workstation mentioned in [14] is adequate for a university election, but in my opinion it's insufficiently secure for an important election. However, I think that an adequate machine can be built, and I build high-security cryptographic key management systems for a living. The same techniques and approach used to protect the master cryptographic keys that protect hundreds of billions of dollars should be sufficient.

My recommendation would be to use something like an IBM 4764 cryptographic coprocessor -- or any other programmable FIPS 140-2 level 4 certified device. Use it to generate P, and program it to output P for external storage (because P is likely too large for internal storage) only in encrypted form. Likewise with Q. The selective revelation of Q should be done by the secure device, with an external input providing the "coin flips".

The source code for the device should be open source and published, and the binary should also be published. The 4764 already includes a very clever and very secure mechanism for incrementally loading verified software, starting with a dead simple boot loader which is trivial to verify and produces hashes of each further loading stage. Loading should be done under oversight by all interested parties.

If generation of P is done by a deterministic PRNG, then you can have P generated in parallel by multiple identical devices, one under the control of each major party and perhaps a watchdog group or two as well, and all can verify that the encrypted version of P is identical. The way to do that is to start with one device and then use a secure clone operation to replicate the master key and the PRNG seed from one device to another.

Even though the devices are highly, highly resistant to penetration (millions must be spent in multiple serious attempts to penetrate a device in order for it to achieve level 4 certification), all parties operating such a device must allow oversight from any other interested parties. This is also necessary to ensure that no unauthorized clones are created -- though the software should make use of the device's hardware "security ratchet" to ensure that once put into the "generate P" mode, the cloning functionality is disabled.

After the partial revelation of Q (done in parallel), all of the devices should be breached, in public, under oversight, which will cause them to destroy their master keys. The devices should probably also be publicly destroyed.

The final potential weakness is pre-tampering with the devices. If the device could be subverted even before the first software is loaded, then all of the security disappears. Manufacturers of such devices take great pains in the manufacturing process to be able to prove that they produce reliable devices, but those measures are insufficient for something like a major election.

I think another iteration of the cut-and-choose style verification Chaum is so fond of is the solution. Or in this case perhaps it should be called 'choose and cut'. The election officials should de

Seemingly very easy to implement...
http://www.punchscan.org/

Verifiability. And that is almost impossible if you don't provide a printout. All the solutions that provide a printout could succeed though, for example Bingo voting or Punchscan.
So far companies such as Diebold sell "we know this is 100% secure, trust us" and that seems to be what sufficed for the people choosing a product. Cost, loss of democracy and provable security haven't been a criterion it seems.

Um, that's why I mentioned http://punchscan.org/ . Check it out.

The problems you mention appear to have been solved already. There was a /. article a while back about Punchscan, a two-part ballot system, where the order of the choices for each selection is randomized, and a special keyed algorithm is necessary to know the choice order for any given ballot. The 2-part ballot has two layers, separating the choice description from the choice label; one part alone would not indicate how a choice was made. When the voter marked through a choice, it marked both layers. The voter could choose which layer to shred, while the other is counted and retained as a receipt. It has a system where the voter can go online to verify his ballot.

The real problem with voting is that you cannot see what happens once your ballot has been cast. Remember the quote attributed to Stalin: "Those who cast the votes decide nothing. Those who count the votes decide everything."

The only solution to this problem that I can think of is to provide a system that allows any interested party to count the votes. If only one party can count the votes, they are automatically suspect. If a limited number of parties can count the votes, then they can create problems that are not easily resolved. If anyone can count the votes, then most of those problems go away. How to achieve this, while still retaining anonymity, might not be easy (I can't say for certain, not having studied the problem deeply).

It is an End-to-end (E2E) cryptographic system with independent verification. The system is designed to be transparent to everyone, candidates, voters, election officials, media, courts et al.

Punchscan lets you walk out with a record of how you voted, but it's useful only to you. No one can determine what candidates you voted for, they can merely determine that the votes were recorded as cast. http://www.punchscan.org/

You can't make the system 'voter auditable' without losing the secret ballot.

Oh yes you can.

Punchscan has animations and pdfs explaining how it could work.

Now I feel like a wuss for complaining about the lack of a voter-verified paper trail.

There are about four groups of people working to rectify this problem. The one I've been following is Punchscan which looks like they have everything covered except fraudulent registration. Slashdot covered Punchscan here.

An election process has to provide the following characteristics (in some countries these are taken serious):

      1. Access: Only people allowed for voting may place their vote
      2. Equality: Each person may only be counted once and with the same weight of vote.
      3. Privacy: Noone can find out for whom a person voted.
      4. Secure against forgery:
                  1. Valid votes can not be changed/forged.
                  2. Valid votes may not be destroyed.
                  3. Invalid votes may not be added
      5. Checkable: Each voter has the possibility, independent from any other person, to check the correctness of an election including all previous points.
( I didn't find this in the English Wikipedia, this is a quick translation from the German Wikipedia )**.

You cannot ensure these with voting machines without the use of paper*. It is not a matter of code, just a fact of information and physics.

Use paper. Optionally with punchscan and the such. Even the cost factor is irrelevant. Democracy is worth it.

____
*Maybe with quantum computers. But can the average person check the setup? With paper, you can.
** I'd be grateful for a link

For fuck's sake, can we just use an open source solution or build a better one already? This should be OSS's moment to shine because amongst us there are the ideas, talent and skills to make a system that for all purposes is more secure, transparent and robust than what is currently on offer from Diebold or any other proprietary vendor.

Actually, it may be easier than you think to sell a vote. Read more here: How Secret is Your Ballot? (1/3). Very interesting stuff. There are lots of ways in which someone can verify that you voted the way you claimed.

Worse than just selling your vote, this can be used for voter coercion.

Some people think paper is just the perfect solution for voting, but really it has many problems that can be solved by electronic voting when done carefully. (And of course, when done haphazardly electronic voting has many problems that paper voting does not).

For many of the same reasons there is no semblance of a secure electronic voting platform on the horizon.

Here is one of the more incredible accounts.

I guess maybe punchscan has it right...

Separating the human readable and machine readable ballot, and then shredding the human readable one, keeps the door open for tampering with the counting software (you might have marked choice A for your candidate on the human readable ballot but what if the counting software counts choice A as a different candidate).
True, though both ballots are machine readable and human readable. Either sheet, chosen by the voter, can be shredded. Software can be tampered with, but the people hand-counting votes can also be tampered with. Also, since punchscan is open-source (BSD licensed) it's easier to verify that the software is working as it should be.
How do you then prove how it was supposed to be counted?
You prove it was recorded correctly by having the results of the marking viewable by any voter online. This image shows the process, you want part 3, post election audit.
If you're going to in some way securely preserve the human readable portion, why bother separating them in the first place?
Separation prevents vote buying while allowing the voters to keep and verify their own paper trail. You can verify that your votes were counted as you marked them (a, b, or left hole, right hole,) but you can't associate the marks with who you voted for. So you know your votes were counted as marked, and you know you marked them for the candidates you want, but no one else can reliably determine the correlation without having access to ALL the encryption keys.
Also if you keep a copy of your cast ballot then a voters can be intimidated by threat of retaliation, and bribed with certainty of the result.
From the FAQ: If a vote-buyer or coercer tells the voter where to mark before the voter enters the polling place, then those marks will correspond to random votes. This is because only in the booth can the voter see what vote corresponds to what mark on the receipt (as mentioned in question 2). So paying for such marks is actually paying for random votes, which is substantially the same as paying someone not to vote at all. But paying people not to vote can be achieved more directly (and even online), since who votes in US elections is generally visible and in practice a matter of public record. Influencing voters not to vote on certain contests, while allowing them to vote their choice on others, is essentially a waste of the influencer's efforts, which would be more effective if the voter were kept from voting altogether. Observing how long people spend in booths has been used in improper influence schemes, and lever machines even make a distinctive sound for each contest voted. Nevertheless, an "overvote" position (inherent in many other paper-based voting systems) combined with a mark per contest requirement, lets a punchscan receipt hide even which contests were voted.
What is so freaking bad about a ballot which is simultaneously human and machine readable which is turned in via secret ballot?
The individual voters must trust both the vote counters and the vote auditors, with punchscan the voters ARE the primary auditors. Since any voter can audit their own votes any voter can expose election fraud. This makes fraud much harder. It's similar to the "many eyes" principle used by open-source software. Also from the FAQ:
21. Wouldn't good old-fashioned paper ballots counted by hand in each polling place provide a higher level of integrity for election outcomes?
The reasons for automating in the US actually included improving integrity as well as the difficulty of counting the many contests. It might be possible to get enough people to observe and count in the US today in order to achieve a high-level of integrity for basic voting. But such an approach cannot secure absentee ballots traveling through the mails, a significant and growing fraction of voting, that has different demographics/statistics and thus cannot be ignored as far as integrity. Also, polling-place counting cannot pro

What they should do is use this. It seems to address all of the problems with machine votes, AND all of the problems of the traditional system.

In contrast, anything where you can't connect a voter with a vote WILL have corruption.

All you need for that is to issue a serial number with a voting stub. Let the voter check that a given serial number exists in the tally, and what the vote was recorded as.

The reason that's not a requirement is that if the other requirements are defined correctly, access to the source code is irrelevant. If the other requirements are not defined correctly, access to the source code is also irrelevant, because there's no practical way to be sure what code is actually running on the voting machines.

The only reasonable way to do electronic voting is to define a system such that there is no way the software could manipulate the vote without being detected, no matter how malicious the software. It should be possible to contract the software development to Halliburton and let them keep all of the code top secret, and *still* have no worries that voters ballots aren't counted exactly as the voters intended.

Tall order? Not really. A voter-verifiable paper trail accomplishes this rather easily. If you want to get really serious about it, David Chaum's punchscan system provides every voter with the ability to verify their vote was recorded correctly, but without enabling them to prove how they voted to anyone.

Of course, I have no objection to open source voting machines. In fact, I think it's a really good idea for economic reasons. But in terms of eliminating election machine-driven election fraud, open source is neither necessary nor sufficient. It's irrelevant.

We just ran a story here a few weeks ago about PunchScan, whose method solves that problem, and more. If you recall, they won a contest for the best Open Source Voting Systems Competition.

Links: Recent headline about winning the competition PunchScan's website original mention on /.

Actually Punchscan is very disabled friendly. For example, if you are unable to physically mark a ballot and need an aide, that aide would typically see how you vote. With Punchscan, you can show one ballot half to the voter and the give the other half to the aide. The voter can tell the aide to mark "a" or "b" or whatever, and the aide will have no idea who the vote is being counted for. With the visually impaired, you can use braille or you can use audio ballots. Check out the Punchscan page for more: http://punchscan.org/disabled.php http://punchscan.org/DetailedDisabilities.php

Actually Punchscan is very disabled friendly. For example, if you are unable to physically mark a ballot and need an aide, that aide would typically see how you vote. With Punchscan, you can show one ballot half to the voter and the give the other half to the aide. The voter can tell the aide to mark "a" or "b" or whatever, and the aide will have no idea who the vote is being counted for. With the visually impaired, you can use braille or you can use audio ballots. Check out the Punchscan page for more: http://punchscan.org/disabled.php http://punchscan.org/DetailedDisabilities.php

So if all I can verify is that I voted for A, A, D, and C, then how can I actually verify that my vote was counted correctly.

So if all I can verify is that I voted for A, A, D, and C, then how can I actually verify that my vote was counted correctly.

So if all I can verify is that I voted for A, A, D, and C, then how can I actually verify that my vote was counted correctly.

(and I searched through the comments, FYI :) - GOOD RIDDANCE!

What we need is voting solutions like this:

http://www.openvotingconsortium.org/our_solution

or this:

http://punchscan.org/faq.php

or some combination of the above two.

Let's make this country the #1 democracy in the world all over again. Let everyone know that feasible voting solutions exist in the here and now and are solved with current technology!

For the record, cryptographically secure tallying is possible. You can give each voter a partial reciept that can't prove how they voted, but has a 50% chance of being able to prove it if the vote wasn't correctly included in the tally.

See http://punchscan.org/ for an example implementation.

There are at least two very credible schemes that allow you to determine whether your vote was counted correctly (although perhaps not from a 'published result'). Two of them are David Chaum's Punchscan system, and Ron Rivest's Triple-Ballot System. There are another three or four I could mention, but the authors lack the immediate name recognition of Chaum or Rivest.

Please do basic research before making statements like this in the future.

(Why, yes, I am an NSF-funded voting security researcher. Obligatory disclosure: I know both Rivest and Chaum. They're part of the voting security research group I'm on.)

Now might be a good time to point people in the direction of Punchscan.org, previously chronicled on Slashdot here

• Accounting Fraud Charges. While votes are not represented by some dollar amount, they require the same integrity. To career politicians, they *are* dollar figures, both in the public tax dollars that pay their offices, and the financial clout those offices empower in them. It just makes sense that the harshest federal laws (SEC?) should be applied to those who permit hidden bookkeeping in black box machines, who miserably fail an audit trail, and who get caught in the act of falsifying records in federal elections.
• Encryption-based Voting. The website for PunchScan.org shows how a voter can be certain at the poll their vote is cast-as-intended, and take home a receipt that verifies their vote is counted-as-cast. That latter item is sadly lacking in current eVoting systems.
• Direct Democracy. Career politicans are using a system of "representation" that was very necessary... 200 years ago. Today's technology leaves little excuse for why the electoral college should contradict the popular vote.
• Party Independence. "One choice more than Russia" is little choice at all, if more than superficial. When two "opposing" parties collude, they break any checks and balances they'd otherwise compete to enforce. So if, for instance, the judicial and executive branches collude *not* to check each other, then they can make crime into freedom and freedom into crime. It's better for all of us if special interests (e.g. Big Oil) are faced with paying off five or more choices rather than the two party duopoly.

According to the "HACKING DEMOCRACY" HBO Documentary, Cuyahoga County (Cleveland) Elections threw out the signed paper audit tapes used in the 2004 elections, despite the legal obligation to file them for 14 mounths after a presidential election. Bev Harris of Black Box Voting is seen retreiving the tapes from the election board's warehouse trash, with signatures, and it shows hunreds of discrepencies from the "official" tape they printed afresh for her.

In my own experiences here in Butler County Ohio, I have no confidence in the results of our elections: suspicous to say the least. This year's 2006 results deny every Democrat candidate any victory in each race, despite the larger state totals (including non-electronic voting counties) giving the win to a Democratic Governer, Secretary of State, Treasurer, and Senator. But what makes the local results anomolous is that the House Representative an local offices were awarded to Republicans, and the county itself is largely a 'welfare county' whose largest City (Middletown) is founded on a failing steel industry. The disparity seems more closely tied to the voting machines than the voter demographics. Creepy.

No, you open up the right side of 100% of the votes and the left side of 100% of the votes -- but you permute the votes so that they can't be lined up. This is why multiple mapping tables are used.

You should check out http://punchscan.org/ for a clever solution to auditing.

This is not snake oil. Punchscan is supported by the non-profit Center for Governmental Studies. It is an open system that has been reviewed by a lot of experts. This fact doesn't prove Punchscan's value, but it does make it worthy of careful consideration.

Your receipt does NOT show how you voted, but it DOES prove that your vote counted as you cast it. "Impossible," you say? Then why not explain how anyone (including the election authority or someone who hacks its computers) can cheat the system without being detected?

But before doing so, you should probably review this: security video
And you also need to understand some cryptography concepts, such as these: one time pad commitment scheme zero knowledge proof

If paper is the answer, then why did every recount in the 2000 Florida election produce a different tally? And why do many experts believe that Ohio was stolen in 2004 primarily by stuffing of paper ballots?

[My background: I am a verification engineer for NVIDIA who has been following Punchscan since the NSF's Voting Systems Workshop in June.]

First, SERIOUSLY read the FAQ. Please.

Next, you can prove to YOURSELF that your vote was cast as intended and recorded as cast. You can prove to yourself and anyone else that your vote was (or wasn't) counted as recorded. You ABSOLUTELY CANNOT prove to anyone else the VALUE of your vote (i.e: who you voted for.)

Third, yes we know that the people at the top don't want a verifiable system. This has to come from the bottom up. Fortunately, it is largely local governments who are responsible for the purchase and use of voting equipment. Since this technology is out here, you should DEMAND it from your government. You should NOT accept unverifiable elections anymore.

Feel free to ask me questions, by the way.

There is a video on the website that explains how this works.

But how do I know that the cheating doesn't happen at this stage?

As far as I can tell from the technical paper the election authority creates twice as many ballots than needed, and then half of them are randomly selected for auditing prior to the election. With security and other auditing controls, once the ballots and the machinery pass the auditing test, all you need to do is ensure that the counting machines and other half of ballots are not tampered with prior to the election.

Incorrect, there's an audit of that. Watch the overview, esp. the 2nd part of introduction and "security."

2. Don't paper receipts and online checking facilitate vote selling or coercion of voters?

No. Whichever of the two sheets of a Punchscan ballot form--top or bottom-the voter keeps as a receipt, it does not reveal the votes: the top sheet does not reveal what letters were visible through the holes in it; and the bottom sheet does not reveal which letter was next to which candidate name on the top sheet. What is displayed online is just a copy of the receipt the voter keeps. Thus, short of illegally making a photograph in the booth, there is no way for voters to convince others of who they voted for.

http://punchscan.org/faq-general.php#1

I'll sell my vote for $500, you can even verify it with this hole thingy.

The slideshow is a little opaque, but the concept is you can't. The only way you can tell how the voter voted is by having both pieces of paper. (Look closer at the paper being shredded. While there is a mark on it, it was the piece of paper the voter kept that indicated whether that mark was for A or B.)

Their website has a .pdf on it that explains how it works better than I can...particularly because I'm still trying to wrap my head around it.

It looks like the receipt cannot be used to prove which candidates were selected. The only thing that is verified is that the vote was not changed after the vote is submitted, sort of like a fingerprint of the ballot instead of a simple copy, but I haven't read the details yet. http://punchscan.org/faq-general.php#1

they explain that it's impossible to determine how somebody voted without the other half of the ballot.

http://punchscan.org/demos/election/

I've read up on some on PunchScan, though I'm no expert. I think its got potential.

This is simply ridiculous. Cryptologist David Chaum, for example, has created a couple of systems which use encoded receipts which allow the voter to later check that his vote was recorded properly (say by going online), but don't allow him to prove to a third party how he voted, thus satisfying voting regulations geared toward preventing vote selling (for those anti-free-market types, who don't believe you should be able to sell your vote).

These systems employ random processes, using seeds like the final closing price of the stock market, to select a set of random ballots from the pre-talley group for "decryption" by linking them to the final talley group. It can be statistically shown that just auditing a small number of the votes this way can make an undetected ballot forgery extremely likely to be detected. More than a few fraud votes become virtually impossible to go undetected.

The systems work, even if every off-the-shelf computer used as a voting machine (they can be put to use in schools and such during the interrims between elections) is running malicious code, instead of the proper open source code it's supposed to be running.

Why are we not using these types of systems?!

I AM PULLING MY HAIR OUT RIGHT NOW BECAUSE I DON'T FUCKING KNOWWWWWWWWWWWW!!!!!!!

http://punchscan.org/