Slashdot Mirror
A Secure and Verifiable Voting System
meese writes "The cryptographer David Chaum, through discussion with top cryptographers such as Ron Rivest, has designed a secure and verifiable voting system. One of the goals of his design is that anyone can verify that votes were tabulated correctly. It's good to see real security/crypto people working on this problem. They also have a press release."
The fancy printing seems a little complicated, and If you were to take the 'unreadable' copy and identify the individual 'pixels' printed on the paper, then holding up a patterned transparency which blocked the obfuscating elements of the image would reveal the real vote.
What if instead, the voter was given a printout of the MD5 of a combination of (digesting all of) everyone they voted for and their (the voter's) social security number? It would be nonsense to anyone looking at it, but if they needed to verify their vote, they could specify all of their choices and their ssn again, and get the same MD5.
The key is that it is an expensive operation to find an individual's SSN, then combine that with every permutation of who could be voted for, and match that with a printed MD5. You have reasonable privacy, and the ability to verify the vote. What more do we need?
The problem of being able to verify information and keep it private has long been solved by cryptographic one way hashes.
What do you think?
Celebrate Excellence!
Most lay people assume the voting system is secure simply by virtue of it being computerized.
I haven't looked at the spec for this yet, but I have to believe that this cannot be the answer, simply because most people won't be able to understand how this system is any different than the (electronic) one it replaces.
More than anything else, voters have to be able to trust that their vote is being counted. And there will always be talk of powerful interests being given backdoors or being able to skew the results using exotic technologies like quantum cryptoanalysis.
The only sure way of a) having a legitimate election where b) everyone can know their vote was counted is by c) publishing all the votes.
Publish the votes. No batteries (cryptographic or otherwise) required.
Is this truly the only Earth I can live on?
prove they have an authentic receipt
audit the records
would also help quite a bit.
Now, even that still doesn't handle stuff like people voting twice. We'll still need to worry about stuff like folks using false/invalid ID and voting(which is pretty rare I would suspect, but give them time).
It's not as simple as that. To prevent vote-selling, it can't be possible to someone to walk out the door with proof that they voted for a certain person. The press release gets further into these details; describing a convoluted two-piece receipt system.
I like the idea of being about to verify that my vote counted, but how will everyone being able to verify their vote stop dead people from voting?
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
Will there be people involved at any point? If so then its not secure, however it may be verifiable.
Diebold's system involves people, but it is still not verifiable.
Scenario:
1. People come in and vote for Candidate X
2. The votes are then re-allocated to the Republican candidate
3. Republican receives larger share of profits from Diebold.
"The whole point of the 'fancy overly complicated receipt' is that it cannot (on it's own) be read or checked by some evil enforcer type person. But it can be checked initially in the voting booth (to ensure the vote was cast correctly) and later on by the voter by referencing some website or other."
.... if the voter can look at the receipt and find her vote on some web site and see how she voted then how is it that someone else can't look over her shoulder and make sure she voted the right way. Or just take the ticket themselves and go to some website and make sure that the person had voted the right way. And if the receipt can't be used later to independently verify that the vote was recorded properly, then what is the point of the receipt?
Okay I read the other half... Either I am being overly obtuse, or
Sure this is a clever system, but adding this receipt system only adds a layer of obfuscation, still it seems that it is essential that the person holding the receipt still be able to verify that the vote that matches the receipt was cast correctly which breaks the model.
You misunderstand what he meant by "checking".
Your ballot can be checked to ensure that it is a valid vote. The pixelating XOR stuff he did is to ensure that, while your vote can be checked for validity, it cannot be checked to see who you voted for, except by the board of trustees, who have the other half of the vote and have no information about who you are.
Win dain a lotica, en vai tu ri silota
I tried to read the article and hopefully I am mistaken but would appreciate some comment on this.
It seems that you are deprived of the ability to reproduce your vote outside the booth by seperating the information into two pieces either of which is illegible/useless by itself. However, with the cellular phones taking digital pictures nowadays, could you not essentially take both of them with you if you want?
If this is true then further security is needed to ensure that although you choose one of the two equally valid pieces, you cannot reach the other one at all. This, btw, can be done cryptographically.
ato
"Automate a mess and you get a really fast mess".
The whole "voting systems" thing is just soooooo wrong and silly.
The issue is what people want. Address that, THEN work on how to record what it is they want. Sound IT projects start with objectives, not technologies.
Let me suggest that Americans modernise the voting system before automating it. As it stands a candidate with 30% of the vote (that is, NOT wanted by 70% of voters) can win because all the others get less than 30%.
You need optional preferential voting - so that someone can vote "1" (first preference) for the most preferred candidate (say, Nader) and if that the preferred candidate doesn't get over 50%, that voter's votes are added to the candidate designated "2" (second preference - perhaps Al Gore in this example).
Different outcome because most people did not want Bush (on other occasions perhaps most people didn't want Clinton).
Hey, there could even be multiple candidates from the same party - let the PEOPLE choose not the party machines (and don't tell me that Primaries do that - pah!)
My personal tweak is to have an option called "none of the above" (NOTA). If candidate NOTA wins you have another election with none of the first bunch of turkeys allowed to stand.
It publicly debuts in beta next month! And its open source and voter verifiable. Its on source forge right now if you want to look. see EVM2003 or open voting By the way they still need more developers, testers and documentation writers. Also they need financial backers to package finished systems with tech supprt for the end users.
Some drink at the fountain of knowledge. Others just gargle.
The problem is that if laymen can check that their votes were counted after the fact, it is possible to sell your vote and let a 3rd party check on this as well. Any design where you keep the recipet is flawed.
Laymen can check that their votes were counted correctly after the fact. However they can not check what their vote actually was, so a third party can't verify that the layman voted the way they wished.
This is accomplished by printing two receipts which combined form an image of the voters vote, but seperated are random as in a one time pad encryption scheme. The voter is required to surrender one of these reciepts for destruction, retaining an almost random sheet, which is uninterperatable without the posession of a large number of private keys.
The voting machine can only forge one of the sheets (either internally or externally) and still record a recordable vote. The chance of it being detected is 50% either way, so to forge a mere 32 votes, the machine would have a 1 in 2^32, or one in 4 billion chance of going undetected.
Similarly every trustee who holds private keys for the interperatation of votes has only a 50% chance of tampering with one vote, and having it be undetected by the other trustees, and has only a one in 4 billion chance of getting away with tampering with 32 votes. Similarly a collusion of all but one of the trustees has only a 50% chance of being undetected tampering with one vote, and has only a one in 4 billion chance of being undetected in tampering with 32 votes.
Touchscreen records your ballot, prints it out for you to check, AND KEEPS COUNT ITSELF.
You feed your paper ballot into a scanning machine that keeps count. And post your paper ballot in a ballot box.
The touchscreen ballot generator and the scanner are produced by two entirely separate companies. Public specifications on the interface.
Now if the two machines disagree about the ballot count you do a paper recount (and find out which vendor stuffed up, and don't use them again).
Recycle PCs and build a wireless community network www.hillsborough.org.nz
The proposal allows a VOTER to verify that their vote was properly cast and recorded.
There is no protection for a candidate.
With physical ballots, a candidate can ask for a recount of those ballots.
As far as I can see, under this proposed system, you either accept the word of the computer, or you try and round up the anonymous (out-of-district or out of state) voters and ask them to please check their ballots.
Snowball I can vote with impunity. Indeed I can add as many votes to the machine record as I want - I can have the machine churning out thousands of votes per hour, shred both copies, and just make sure the legitimate votes are also included in the tally.
The proposal address completeness (all votes are recorded), accuracy (the votes are correctly recorded, or can be verified as having been so) BUT only by the voter - NOT the candidate who has to trust the machine or hope a voter picks up a fault.
Validity (only proper votes are cast) is not addressed. Unless I'm missing something.
Recycle PCs and build a wireless community network www.hillsborough.org.nz
They will also be candidates. Now we're doomed!
Infuriate left and right
Paper recounts can be slow and tedious (relatively speaking) but will done under independent scruitineers AND observers from all parties with a vested interest in the best outcome for themselves (which cancels out, meaning everyone is watching to make sure no one else cheats). Often paper recounts are done twice (to verify the answer) - with actual paper ballots you can count them as often as required. In practice if you've got two machine tallies that agree (or disagree) and then do a paper recount and it agrees (or agrees with one or all three disagree) you can look at which is closest and whether it makes a difference to the result. So someone picks up two ballots by mistake leaving you with a 1 vote error (in total and for one candidate). We'd expect a 1 vote discrepancy from the machines. Since the votes are physically placed in piles according to the votes cast, it is easy to flick through and check that all the votes in one pile belong to the same candidate. If 1 vote makes a difference we can count again.
The problem in America was two-fold:
a) some of the ballots were illegally laid out according to Flordia state law (the butterfly ballot). This may have led some people to cast their vote for someone other than they intended. It's worth noting that all parties saw and approve the ballots before the election, and the same ballot layout was used in previous elections.
b) they physical ballots in some places is made by a paper punch - in some cases the square of paper for a candidate hadn't been fully removed. In other cases an indentation had been made (weak wrists? or an elderly and infirm voter? changed their mind? or too many pieces of cardboard jammed in behind the punch?) And during each recount more and more cardboard pieces would fall out. :-(
Neither of these is an issue with touch screens and computer printed ballots.
I'm just saying separate the voting machine from the counting machine - have them check on each other - and keep a printed record you can go back to if the machines disagree (or someone doesn't trust both machines)
Recycle PCs and build a wireless community network www.hillsborough.org.nz
I never cease to be amazed at what is considered insightful on this forum.
The *process* is very simple and completely automatic.
The *reason* it works is *slightly* more complex, but is considerably easier to understand than, say, public key cryptography. This is not rocket science.
Properties of the system:
- it allows each voter to verify that their vote has been recorded;
- it does not allow a voter, or anybody else involved, to prove which way they voted (i.e. voter anonymity is preserved throughout);
- it includes an (automatic) auditing scheme that provides statistical near certainty (in the absence of *complete* collusion by the authorities) of detecting fifty or more instances of ballot rigging.
It's elegant and simple and very easy to verify. Evidently, alas, the paper does not make this clear to everyone...
(sigh) Classic mistake naively implementing a "voting verification" system. You don't want a voter to be able to prove how they voted. If you do that, historically it has been proven that voters will be encouraged (either through positive - money, gifts, etc - or negative - intimidation, beatings, etc - feedback) to vote particular ways, instead of their conscience. Every voter has to have plausible deniability.
That's why real voting systems try to only verify that each ballot was from a unique voter, and that the reported counts of the election can be reconstructed from the individual ballots.