Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Secure and Verifiable Voting System

Posted by michael on from the he-makes-it-look-easy dept.

meese writes "The cryptographer David Chaum, through discussion with top cryptographers such as Ron Rivest, has designed a secure and verifiable voting system. One of the goals of his design is that anyone can verify that votes were tabulated correctly. It's good to see real security/crypto people working on this problem. They also have a press release."

21 of 346 comments (clear)

  1. One question.... by Kenja · · Score: 2, Insightful

    Will there be people involved at any point? If so then its not secure, however it may be verifiable.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:One question.... by egarland · · Score: 3, Insightful

      Someone please mod this down as overrated!!!

      You can build secure systems on top of insecure components. See any encrypted internet protocol for an example.

      --
      set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
  2. Combination.. by 403Forbidden · · Score: 2, Insightful

    Open source + Paper trail = secure voting.

    How much longer till they figure this out?

    1. Re:Combination.. by cjgross · · Score: 5, Insightful

      In order to be verifiable, you need the paper output. If they voting machines would generate a unique paper output from each machine as a backup, votes could be recounted and audited. Each paper ballot could be encrypted and stored in 2D electronic barcode. It would be easy to scan and verify and data could not be altered without invalidating the crc's. Electronic voting will never be stand alone until we have a valid way to audit the results. cjg

      --
      "It is a miracle that curiosity survives formal education."
    2. Re:Combination.. by Anonymous Coward · · Score: 5, Insightful

      Me again from VoteHere, open source is fine if it is all you have, but it is far better to have an auditable data trail. Remember, that computers like the ones in most voting machines are "general purpose computing devices" so it is difficult to know exactly what code is running on them. Opening the source will help you be sure that there somewhere exists good software that if you ran it in the voting machines would lead to an accurate election, but it does not give any confidence that the machine actually was running that software, and only that software. Paper makes for a fine audit trail if you have nothing better, but ask anyone who voted in Chicago in the last century how well it does by itself to prevent election fraud. It is far better to extend the auditable portion of the data all the way through the election process to tabulation so that anyone could verify that the final count did in fact match the populous' intent.

    3. Re:Combination.. by Jeremiah+Cornelius · · Score: 2, Insightful
      You really don't undeerstand what happened here do you?

      A proprietary back-door hidden in object code and protected by DMCA is the alternative to the proposal of open source voting technology. Die Die Die -bold and ESS have demonstrated this in actuality.

      Hiding algorithms does not improve cryptography - and revealing them does not weaken it.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    4. Re:Combination.. by kilgore_47 · · Score: 4, Insightful

      bigpat wrote: Having some sort of receipt just misses the point and seems overly complicated. But mostly it doesn't properly address privacy concerns and vote buying or coersion... if you have a receipt and the votes that correspond to that receipt are publicly released and you were told to vote a certain way by your union or boss, then you can be coerced to show your receipt to someone

      You didn't read it right. You can't print out your throwaway half and see who you voted for. You can print out (from the website) a copy of the half you took with you, to confirm that your vote wasn't tampered with between you placing it and it getting to the central database or wherever. This sentence (from the article) confused me for a moment too, and I think you misunderstood it: "You would then be able to check for yourself that it has been posted correctly by, for instance, printing it out and overlaying the two and seeing that they are the same." They mean you can print out your half, not the other half that would reveal who you voted for.

      The whole point of these fancy reciepts is that nobody can use your receipt to see who you voted for. They can only use your receipt to confirm your vote is on the site (and as such, that you voted).

      (Mods should really mod the parent comment down as it's spreading a total misunderstanding of the concept).

      --
      ___
      The way to see by faith is to shut the eye of reason. --Ben Franklin
    5. Re:Combination.. by cfradenburg · · Score: 4, Insightful

      While the barcode is a good idea, in my opinion the main advantage to having a paper printout is so that the voter can visually verify that their vote is correct. Due to the fact that the main issue here is votes getting recorded correctly confirmation on the screen isn't enough. A barcode isn't good enough for that unless it's easy to read (have a sheet with what each code matches for example.) While we're at it, why do electronic voting at all if they need to be verified with counting? If the paper is just there in case someone disputes the results that's one thing but if it will be counted to verify anyway it's not worth doing electronic voting. The other issue with a printout is voter privacy. This isn't as large with the groups I hang out with but to others it may be a very big deal. This means that every page or section of a page that records a vote on paper must be hidden before the next voter enters. Not something that's hard but it needs to be considered.

  3. I'm sure he put lots of thought into it, by blueberry(4*atan(1)) · · Score: 3, Insightful
    and it may be a good system. However, it is more complex than the current checkbox or hole punch system. The more complexity, the more difficult it is to fully consider all the possible vulnerabilities.

    I vote (ha! get it?) that we just stick with paper and pen until we have more chance to discuss and develop alternatives. Just voting is key to any democracy, so tread lightly!

    --

    Visit the best Liberal Blog: DU

    1. Re:I'm sure he put lots of thought into it, by Dastardly · · Score: 2, Insightful

      Am I missing anything?

      Yep. Independent verification that your vote is valid and was counted.

      In terms of voting and counting votes it isn'y as complicated as it sounds.

      1) Vote on a computer.
      2) Computer prints receipt.
      3) Select top or bottom from the computer screen.
      4) Computer prints validation code.
      5) Take receipt.
      6) Give half that says "Give to poll personel" to poll personel for shredding.
      7) Encrypted voting data transferred to counting location where keys are used to decrypt and count results.
      8) Celebrate your candidate winning.

      The complicated stuff comes in withthe verification that your vote is valid and counted. That is the posting of the image of your receipt on the website. If it is identical to the part you kept your vote was counted correctly, if it was not, your vote was not counted.

      Third parties can verify your vote was valid as you exit by checking the digital signature. So, a hacked polling place can be identified as well.

      I may miss some subtleties by simplifying, but while the implimentation seesm comlicated, the practice is a lot less complicated.

      In thinking about it, the computer could still tally votes as each voter removes their receipt. You then still post the receipt images on the web, but only perform the full recount of the encrypted data if there is a complaint.

  4. Too bad.. by xchino · · Score: 3, Insightful

    It's too bad this won't get any support, as it doesn't make politicians any profit. Maybe if they could promise Bush Ohio's vote, or line some pockets with green, they'll get some government backing. I think there should be a law against a politician having invested interest into the means by which they are elected.

    --
    Everyone is entitled to their own opinion. It's just that yours is stupid.
  5. Not acceptable by Marcus+Erroneous · · Score: 4, Insightful

    How in the world do you expect the penny ante politicians to get elected with an honest, secure system? More importantly, how is Bu$h supposed to get re-elected with a fair, impartial, secure and verifiable voting system? Fortunately, here in the good ol' US of A, we're free to chose a more politically useful system. ;)

    --
    You must be the change you wish to see in the world - Ghandi
  6. Re:This doesn't seem quite bulletproof enough... by harangutan · · Score: 3, Insightful

    What if instead, the voter was given a printout of the MD5 of a combination of (digesting all of) everyone they voted for and their (the voter's) social security number?

    Not a chance. First of all the SSN, even if it were as difficult to obtain as you suppose (hint: it's not), this wouldn't be of help in vote-selling, as the voter would cheerfully surrender his SSN if he wanted to get paid.

    As for the rest, you're radically overestimating the number of permutations an election can typically have -- a dozen yes or no decisions and one or two candidates each for a handful of offices could be permuted by any cheap desktop PC in very short order.

  7. How we'll REALLY know . . . by CleverNickName · · Score: 4, Insightful

    We'll know that this is a real and secure voting method just as soon as all the incumbents and lobbyists come out and blast it as "dangerous" and find some way to connect it to terrorism.

  8. Re:Is a paper trail really that important? by Anonymous Coward · · Score: 2, Insightful

    A paper trail does make it magically more secure. This isn't referring to you keeping paper, it is referring to a piece of paper with the vote on it being stored somewhere.

    Those machines with levers? They make paper trails.

    Without this, the votes are ONLY digital. As such, any unauthorized access can, en-masse, change the only record of the votes. Paper cannot be changed nearly so easily, and especially not so secretly. It allows a recount if the machine count seems unreasonable.

    It is genuinely an incredible increase in election reliability, especially for something so simple.

  9. Too complicated... by jjh37997 · · Score: 4, Insightful

    Here's what we need...

    A touch screen voting booth that lets voters select the canidates they want.

    After the voter casts their vote the booth prints out a ballot that's a machine readable scantron sheet.

    The voter checks to make sure that the canidates they selected are recorded on the ballot and feeds it into a scantron reader. It's this machine that actually records the voter's vote.

    This way not only do we get the benifit of a machine count but a paper trail to boot.

    1. Re:Too complicated... by gumbi+west · · Score: 2, Insightful

      Only a few need to check to make sure that this vote was tallied correctly.

  10. paper trail by mehtars · · Score: 2, Insightful

    Even if there is an open audit of the source and a paper trail, most of the canidates will still request a recount of the ballots by hand. Call me a bit old fashion, but I still believe that the best way to hold an election is to do it on paper rather than on a computer. Even the most secure open-source OS can have security holes....

  11. Printing Technology by femto · · Score: 2, Insightful
    One would have to make sure the printing technology was 'perfect'. What if there was some residual image of the 'red' layer superimposed on the 'white' layer (for example, heat leaking between the two layers of a thermal printer)? Then it would be possible to 'reverse engineer' a receipt and the ballot may no longer be secret.

    Incidentally, most of the alternative suggestions offered by slashdotters seem to compromise the secrecy of the ballot. Secrecy might not seem important to the average slashdotter, but it is important if your family will disappear when you get caught voting for the opposition.

  12. Which is exactly what they *don't* want to achieve by Kjella · · Score: 2, Insightful

    but if they needed to verify their vote, they could specify all of their choices and their ssn again, and get the same MD5.

    They do *not* want you to be able to verify how you voted, because then you might be *forced* to verify it. What they're trying to do is give you a recipt that you have delivered a valid vote, and that this vote can be verified as having been counted, without revealing for which candidate the vote was for.

    The reason for this is simple - with manual counting, you need to involve a lot of people around the country to reasonably affect the vote. With an electronic count, who's to know if you simply replaced the final numbers?

    Unfortunately, it's more difficult to show that your vote is a subset of a group (the total votes) than it is to make a 1-to-1 mapping. It sounds quite smart from the brief read-through I made, but yes, I wouldn't make any hasty decisions.

    Kjella

    --
    Live today, because you never know what tomorrow brings
  13. Re:Mathematicians don't think EVILLY enough by ralphbecket · · Score: 2, Insightful

    Yes, there is protection for the candidate.

    The auditing process provides statistical guarantees that (in the absence of complete collusion by the polling agents) (a) every ballot is counted, (b) no extra ballots have been inserted, and (c) no ballot has been tampered with.

    Furthermore, all of this information is provided on the web. Each voter can check that their vote was recorded and anybody at all can check the final tally (the plaintext electronic ballot papers are also published, but they cannot be traced back to individual voters.)

    It's a great system. It's just a shame that the paper doesn't explain it simply enough (for the Slashdot crowd to understand, at any rate :-)