A Secure and Verifiable Voting System

meese writes "The cryptographer David Chaum, through discussion with top cryptographers such as Ron Rivest, has designed a secure and verifiable voting system. One of the goals of his design is that anyone can verify that votes were tabulated correctly. It's good to see real security/crypto people working on this problem. They also have a press release."

One question....

[Kenja]

Will there be people involved at any point? If so then its not secure, however it may be verifiable.

Re:One question....

[egarland]

Someone please mod this down as overrated!!!

You can build secure systems on top of insecure components. See any encrypted internet protocol for an example.

Combination..

[403Forbidden]

Open source + Paper trail = secure voting.

How much longer till they figure this out?

Re:Combination..

[cjgross]

In order to be verifiable, you need the paper output. If they voting machines would generate a unique paper output from each machine as a backup, votes could be recounted and audited. Each paper ballot could be encrypted and stored in 2D electronic barcode. It would be easy to scan and verify and data could not be altered without invalidating the crc's. Electronic voting will never be stand alone until we have a valid way to audit the results. cjg

Re:Combination..

[bigpat]

after reading halfway through the paper...

I have to agree with the above comment. There is no need for the fancy overly complicated receipt that they talk about in the referenced paper.

just print out the choices and have the person verify them before they are put in a box. Then the ballots in the box can be counted if someone challenges the results of the electronic tabulation. Heck the vote doesn't have to be recorded paper, but it does have to be a physical record that is either confirmed by the person that has just voted or a directly created by the person themselves (ie pen to paper)

Having some sort of receipt just misses the point and seems overly complicated. But mostly it doesn't properly address privacy concerns and vote buying or coersion... if you have a receipt and the votes that correspond to that receipt are publicly released and you were told to vote a certain way by your union or boss, then you can be coerced to show your receipt to someone. That is essentially why anonymous voting was put into place, that social, economic and violent pressure could not be applied outside the voting center. So there must be no way of linking a specific person to a vote that has been cast once that person submits their vote. That is why the physical record is so important, since counting again is the only way to check your first count.

Re:Combination..

Me again from VoteHere, open source is fine if it is all you have, but it is far better to have an auditable data trail. Remember, that computers like the ones in most voting machines are "general purpose computing devices" so it is difficult to know exactly what code is running on them. Opening the source will help you be sure that there somewhere exists good software that if you ran it in the voting machines would lead to an accurate election, but it does not give any confidence that the machine actually was running that software, and only that software. Paper makes for a fine audit trail if you have nothing better, but ask anyone who voted in Chicago in the last century how well it does by itself to prevent election fraud. It is far better to extend the auditable portion of the data all the way through the election process to tabulation so that anyone could verify that the final count did in fact match the populous' intent.

Re:Combination..

[Jeremiah+Cornelius]

You really don't undeerstand what happened here do you?

A proprietary back-door hidden in object code and protected by DMCA is the alternative to the proposal of open source voting technology. Die Die Die -bold and ESS have demonstrated this in actuality.

Hiding algorithms does not improve cryptography - and revealing them does not weaken it.

Re:Combination..

[kilgore_47]

bigpat wrote: Having some sort of receipt just misses the point and seems overly complicated. But mostly it doesn't properly address privacy concerns and vote buying or coersion... if you have a receipt and the votes that correspond to that receipt are publicly released and you were told to vote a certain way by your union or boss, then you can be coerced to show your receipt to someone

You didn't read it right. You can't print out your throwaway half and see who you voted for. You can print out (from the website) a copy of the half you took with you, to confirm that your vote wasn't tampered with between you placing it and it getting to the central database or wherever. This sentence (from the article) confused me for a moment too, and I think you misunderstood it: "You would then be able to check for yourself that it has been posted correctly by, for instance, printing it out and overlaying the two and seeing that they are the same." They mean you can print out your half, not the other half that would reveal who you voted for.

The whole point of these fancy reciepts is that nobody can use your receipt to see who you voted for. They can only use your receipt to confirm your vote is on the site (and as such, that you voted).

(Mods should really mod the parent comment down as it's spreading a total misunderstanding of the concept).

Re:Combination..

[cfradenburg]

While the barcode is a good idea, in my opinion the main advantage to having a paper printout is so that the voter can visually verify that their vote is correct. Due to the fact that the main issue here is votes getting recorded correctly confirmation on the screen isn't enough. A barcode isn't good enough for that unless it's easy to read (have a sheet with what each code matches for example.) While we're at it, why do electronic voting at all if they need to be verified with counting? If the paper is just there in case someone disputes the results that's one thing but if it will be counted to verify anyway it's not worth doing electronic voting. The other issue with a printout is voter privacy. This isn't as large with the groups I hang out with but to others it may be a very big deal. This means that every page or section of a page that records a vote on paper must be hidden before the next voter enters. Not something that's hard but it needs to be considered.

I'm sure he put lots of thought into it,

[blueberry(4*atan(1))]

and it may be a good system. However, it is more complex than the current checkbox or hole punch system. The more complexity, the more difficult it is to fully consider all the possible vulnerabilities.

I vote (ha! get it?) that we just stick with paper and pen until we have more chance to discuss and develop alternatives. Just voting is key to any democracy, so tread lightly!

Re:I'm sure he put lots of thought into it,

[homer_ca]

Yes, this does seem overly complex. You could do this much more easily with a KISS approach:

Print one human-readable receipt that you drop in the ballot box. There's still the problem of ensuring anonyimity and preventing ballot stuffing, but that could be solved pretty easily. Generate a list of random or even serial UIDs for each polling place, enough for all registered voters and a few extra for provisional ballots. Print the UID on bottom of the receipt with maybe a sleeve to hide everything but the UID. Now, have two paper rosters. One for registered voters and one for UIDs. When someone votes, cross their name off the voter roster and cross the UID they used off the UID roster.

There you have it. Instant electronic results. Human readable paper ballots. Anonymous paper trail of UIDs used and voters who voted. Am I missing anything?

Re:I'm sure he put lots of thought into it,

[Dastardly]

Am I missing anything?

Yep. Independent verification that your vote is valid and was counted.

In terms of voting and counting votes it isn'y as complicated as it sounds.

1) Vote on a computer.
2) Computer prints receipt.
3) Select top or bottom from the computer screen.
4) Computer prints validation code.
5) Take receipt.
6) Give half that says "Give to poll personel" to poll personel for shredding.
7) Encrypted voting data transferred to counting location where keys are used to decrypt and count results.
8) Celebrate your candidate winning.

The complicated stuff comes in withthe verification that your vote is valid and counted. That is the posting of the image of your receipt on the website. If it is identical to the part you kept your vote was counted correctly, if it was not, your vote was not counted.

Third parties can verify your vote was valid as you exit by checking the digital signature. So, a hacked polling place can be identified as well.

I may miss some subtleties by simplifying, but while the implimentation seesm comlicated, the practice is a lot less complicated.

In thinking about it, the computer could still tally votes as each voter removes their receipt. You then still post the receipt images on the web, but only perform the full recount of the encrypted data if there is a complaint.

Too bad..

[xchino]

It's too bad this won't get any support, as it doesn't make politicians any profit. Maybe if they could promise Bush Ohio's vote, or line some pockets with green, they'll get some government backing. I think there should be a law against a politician having invested interest into the means by which they are elected.

Not acceptable

[Marcus+Erroneous]

How in the world do you expect the penny ante politicians to get elected with an honest, secure system? More importantly, how is Bu$h supposed to get re-elected with a fair, impartial, secure and verifiable voting system? Fortunately, here in the good ol' US of A, we're free to chose a more politically useful system. ;)

Re:This doesn't seem quite bulletproof enough...

[harangutan]

What if instead, the voter was given a printout of the MD5 of a combination of (digesting all of) everyone they voted for and their (the voter's) social security number?

Not a chance. First of all the SSN, even if it were as difficult to obtain as you suppose (hint: it's not), this wouldn't be of help in vote-selling, as the voter would cheerfully surrender his SSN if he wanted to get paid.

As for the rest, you're radically overestimating the number of permutations an election can typically have -- a dozen yes or no decisions and one or two candidates each for a handful of offices could be permuted by any cheap desktop PC in very short order.

Re:This doesn't seem quite bulletproof enough...

The trouble with your MD5 approach is that it does not offer any protection against coercion. This is a relatively difficult thing to guard against.

If I were a bad guy in your system (remember, when dealing with security you must always be the bad guy) I'd give you a list of who to vote for, and you must bring me back a receipt and then tell me your SSN. I can probably get your SSN via some other channel, anyhow. Once you return, I put into my computer how I told you to vote, and your SSN and make sure you followed the rules. NO? I blow away your cute little pet dog! Or some other nefarious deed.

A one-way has is a useful thing in some circumstances... What you need is a zero-knowledge proof.

(disclaimer: I work for VoteHere, Inc and we have a somewhat better system than Chaum, but it is a bit harder to explain with pretty pictures.

How we'll REALLY know . . .

[CleverNickName]

We'll know that this is a real and secure voting method just as soon as all the incumbents and lobbyists come out and blast it as "dangerous" and find some way to connect it to terrorism.

Re:Is a paper trail really that important?

A paper trail does make it magically more secure. This isn't referring to you keeping paper, it is referring to a piece of paper with the vote on it being stored somewhere.

Those machines with levers? They make paper trails.

Without this, the votes are ONLY digital. As such, any unauthorized access can, en-masse, change the only record of the votes. Paper cannot be changed nearly so easily, and especially not so secretly. It allows a recount if the machine count seems unreasonable.

It is genuinely an incredible increase in election reliability, especially for something so simple.

Too complicated...

[jjh37997]

Here's what we need...

A touch screen voting booth that lets voters select the canidates they want.

After the voter casts their vote the booth prints out a ballot that's a machine readable scantron sheet.

The voter checks to make sure that the canidates they selected are recorded on the ballot and feeds it into a scantron reader. It's this machine that actually records the voter's vote.

This way not only do we get the benifit of a machine count but a paper trail to boot.

Re:Too complicated...

[gumbi+west]

Only a few need to check to make sure that this vote was tallied correctly.

paper trail

[mehtars]

Even if there is an open audit of the source and a paper trail, most of the canidates will still request a recount of the ballots by hand. Call me a bit old fashion, but I still believe that the best way to hold an election is to do it on paper rather than on a computer. Even the most secure open-source OS can have security holes....

Printing Technology

[femto]

One would have to make sure the printing technology was 'perfect'. What if there was some residual image of the 'red' layer superimposed on the 'white' layer (for example, heat leaking between the two layers of a thermal printer)? Then it would be possible to 'reverse engineer' a receipt and the ballot may no longer be secret.

Incidentally, most of the alternative suggestions offered by slashdotters seem to compromise the secrecy of the ballot. Secrecy might not seem important to the average slashdotter, but it is important if your family will disappear when you get caught voting for the opposition.

Which is exactly what they *don't* want to achieve

[Kjella]

but if they needed to verify their vote, they could specify all of their choices and their ssn again, and get the same MD5.

They do *not* want you to be able to verify how you voted, because then you might be *forced* to verify it. What they're trying to do is give you a recipt that you have delivered a valid vote, and that this vote can be verified as having been counted, without revealing for which candidate the vote was for.

The reason for this is simple - with manual counting, you need to involve a lot of people around the country to reasonably affect the vote. With an electronic count, who's to know if you simply replaced the final numbers?

Unfortunately, it's more difficult to show that your vote is a subset of a group (the total votes) than it is to make a 1-to-1 mapping. It sounds quite smart from the brief read-through I made, but yes, I wouldn't make any hasty decisions.

Kjella

Re:I've attended a David Chaum lecture

[cens0r]

The problem is that if laymen can check that their votes were counted after the fact, it is possible to sell your vote and let a 3rd party check on this as well. Any design where you keep the recipet is flawed.

I don't get it.

Why spend all this time, money, and effort on such a small problem? Yes, all mechanical systems are going to have some error rate, but that error rate can be (and generally IS) miniscule. The only time error has the potential to change the outcome of a vote, even under the most poorly designed systems, is when the actual vote is extremely close. What's more, this mechanical error is essentially RANDOM, in other words, it's not likely to be biased towards one side or the other. Somehow to talk about this changing the "will of the people" strikes me as an extremely hollow complaint.

Do NOT confuse mechanical error with HUMAN error on the part of the voters (as in the case of Florida in 2000 "voting" for multiple candidates). It is very possible to design a mechanical system to make these sorts of HUMAN errors extremely rare (which are generally pretty exceptional in the first place); electronic voting generally provides no better assurances that this cannot happen. Even where HUMAN error occur, unless you believe certain groups of voters are innately dumber or more naive than other groups, this error can largely be made irrelevant by ensuring consistency in voting methods across all counties at far less cost and trouble than these electronic systems.

It's too early to really comment on this particular system, but as a general rule it comes out for me like this:

a)Face random error (0.3%) that comes with mechanical voting systems, without very little possibility for wide spread fraud.

b) Face no random error but accept the potential for massive fraud because of the very electronic nature of it. In other words, a small group of people who are smart or powerful enough could potentially alter the votes enough to put a candidate who is otherwise unelectable (e.g., some wacko on the far left or far right). These problems are unique to electronic voting. The integrity of the mechanical voting as a whole can be verified and audited by someone with modest intelligence. Either the lever swings and punches a HOLE or it does NOT--they are not complicated devices. All this at the cost of billions of dollars! WHY?

No group benefits is apt to benefit or be hurt statistically by spending the money on this (fixing the other problems is a different argument). So why bother, particularly when it increases the risks of some fringe group rising to power?

Re:Mathematicians don't think EVILLY enough

[ralphbecket]

Yes, there is protection for the candidate.

The auditing process provides statistical guarantees that (in the absence of complete collusion by the polling agents) (a) every ballot is counted, (b) no extra ballots have been inserted, and (c) no ballot has been tampered with.

Furthermore, all of this information is provided on the web. Each voter can check that their vote was recorded and anybody at all can check the final tally (the plaintext electronic ballot papers are also published, but they cannot be traced back to individual voters.)

It's a great system. It's just a shame that the paper doesn't explain it simply enough (for the Slashdot crowd to understand, at any rate :-)