Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Secure and Verifiable Voting System

Posted by michael on from the he-makes-it-look-easy dept.

meese writes "The cryptographer David Chaum, through discussion with top cryptographers such as Ron Rivest, has designed a secure and verifiable voting system. One of the goals of his design is that anyone can verify that votes were tabulated correctly. It's good to see real security/crypto people working on this problem. They also have a press release."

15 of 346 comments (clear)

  1. Misses the point completely by corebreech · · Score: 3, Interesting

    Most lay people assume the voting system is secure simply by virtue of it being computerized.

    I haven't looked at the spec for this yet, but I have to believe that this cannot be the answer, simply because most people won't be able to understand how this system is any different than the (electronic) one it replaces.

    More than anything else, voters have to be able to trust that their vote is being counted. And there will always be talk of powerful interests being given backdoors or being able to skew the results using exotic technologies like quantum cryptoanalysis.

    The only sure way of a) having a legitimate election where b) everyone can know their vote was counted is by c) publishing all the votes.

    Publish the votes. No batteries (cryptographic or otherwise) required.

    --
    Is this truly the only Earth I can live on?
  2. Re:Combination..--not quite by randall_burns · · Score: 2, Interesting
    There are still quite a few low tech means of commiting vote fraud. IMHO open source and a paper trail are decent steps-but hard encryption so that anyone with a receipt can :

    prove they have an authentic receipt

    audit the records

    would also help quite a bit.


    Now, even that still doesn't handle stuff like people voting twice. We'll still need to worry about stuff like folks using false/invalid ID and voting(which is pretty rare I would suspect, but give them time).

  3. Re:Combination.. by Anonymous Coward · · Score: 5, Interesting

    It's not as simple as that. To prevent vote-selling, it can't be possible to someone to walk out the door with proof that they voted for a certain person. The press release gets further into these details; describing a convoluted two-piece receipt system.

  4. but still by rock_climbing_guy · · Score: 3, Interesting

    I like the idea of being about to verify that my vote counted, but how will everyone being able to verify their vote stop dead people from voting?

    --
    Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
  5. Re:Nice idea by PurpleBob · · Score: 2, Interesting

    You misunderstand what he meant by "checking".

    Your ballot can be checked to ensure that it is a valid vote. The pixelating XOR stuff he did is to ensure that, while your vote can be checked for validity, it cannot be checked to see who you voted for, except by the board of trustees, who have the other half of the vote and have no information about who you are.

    --
    Win dain a lotica, en vai tu ri silota
  6. a flaw? by agurkan · · Score: 2, Interesting

    I tried to read the article and hopefully I am mistaken but would appreciate some comment on this.
    It seems that you are deprived of the ability to reproduce your vote outside the booth by seperating the information into two pieces either of which is illegible/useless by itself. However, with the cellular phones taking digital pictures nowadays, could you not essentially take both of them with you if you want?
    If this is true then further security is needed to ensure that although you choose one of the two equally valid pieces, you cannot reach the other one at all. This, btw, can be done cryptographically.

    --
    ato
  7. openvoting.org is a super nova of sunshine by goombah99 · · Score: 2, Interesting
    Open voting.org doesn't just have a "design" they have the whole system including the hardware and screen shots. Even the ballot design. Most importantly its not just a mthematical show piece, it actually conforms to the bizarre voting system laws common in states.

    It publicly debuts in beta next month! And its open source and voter verifiable. Its on source forge right now if you want to look. see EVM2003 or open voting By the way they still need more developers, testers and documentation writers. Also they need financial backers to package finished systems with tech supprt for the end users.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  8. RTFA by CedgeS · · Score: 2, Interesting

    The problem is that if laymen can check that their votes were counted after the fact, it is possible to sell your vote and let a 3rd party check on this as well. Any design where you keep the recipet is flawed.

    Laymen can check that their votes were counted correctly after the fact. However they can not check what their vote actually was, so a third party can't verify that the layman voted the way they wished.

    This is accomplished by printing two receipts which combined form an image of the voters vote, but seperated are random as in a one time pad encryption scheme. The voter is required to surrender one of these reciepts for destruction, retaining an almost random sheet, which is uninterperatable without the posession of a large number of private keys.

    The voting machine can only forge one of the sheets (either internally or externally) and still record a recordable vote. The chance of it being detected is 50% either way, so to forge a mere 32 votes, the machine would have a 1 in 2^32, or one in 4 billion chance of going undetected.

    Similarly every trustee who holds private keys for the interperatation of votes has only a 50% chance of tampering with one vote, and having it be undetected by the other trustees, and has only a one in 4 billion chance of getting away with tampering with 32 votes. Similarly a collusion of all but one of the trustees has only a 50% chance of being undetected tampering with one vote, and has only a one in 4 billion chance of being undetected in tampering with 32 votes.

  9. Re:Too complicated... by waynemcdougall · · Score: 2, Interesting
    Double counting is the answer.

    Touchscreen records your ballot, prints it out for you to check, AND KEEPS COUNT ITSELF.

    You feed your paper ballot into a scanning machine that keeps count. And post your paper ballot in a ballot box.

    The touchscreen ballot generator and the scanner are produced by two entirely separate companies. Public specifications on the interface.

    Now if the two machines disagree about the ballot count you do a paper recount (and find out which vendor stuffed up, and don't use them again).

    --
    Recycle PCs and build a wireless community network www.hillsborough.org.nz
  10. Mathematicians don't think EVILLY enough by waynemcdougall · · Score: 3, Interesting
    Mod parent up.

    The proposal allows a VOTER to verify that their vote was properly cast and recorded.

    There is no protection for a candidate.

    With physical ballots, a candidate can ask for a recount of those ballots.

    As far as I can see, under this proposed system, you either accept the word of the computer, or you try and round up the anonymous (out-of-district or out of state) voters and ask them to please check their ballots.

    Snowball I can vote with impunity. Indeed I can add as many votes to the machine record as I want - I can have the machine churning out thousands of votes per hour, shred both copies, and just make sure the legitimate votes are also included in the tally.

    The proposal address completeness (all votes are recorded), accuracy (the votes are correctly recorded, or can be verified as having been so) BUT only by the voter - NOT the candidate who has to trust the machine or hope a voter picks up a fault.

    Validity (only proper votes are cast) is not addressed. Unless I'm missing something.

    --
    Recycle PCs and build a wireless community network www.hillsborough.org.nz
    1. Re:Mathematicians don't think EVILLY enough by randall_burns · · Score: 2, Interesting
      I think you are right-mathemeticians are trusting folks. I'm not an especially good mathematician. However, I have substantial experience dealing with fraud detection systems. I did an early database implementation for what become the world's most popular credit card fraud detection system. I've also worked on an investigation that put the CEO of a major corporation in prison.


      Much fraud is pretty low tech but involves manipulating lots of people. Basically many security mechanisms come down to the word of some combination of people-if those people can be compromised, the security is compromised.


      In the credit card world, it became pretty obvious that lots of license departments and law enforcement agencies were pretty much infiltrated. Stuff like voter registration cards? Well, it all comes down to paper. You might handle this to some extent by cameras in the polling places-but then there are still the mail-in ballots.


      The thing is that winner take all elections tend to encourage fraud-particularlly in close elections. It is hard to very results wildly from the polls these days(say more than 5%). This is all an excellent argument for proportional representation at least in the house. Condorcet voting offers another option for races where you are electing a single guy(the idea is to pick the least bad candidate in series of 2 way races that are simulated from candidate rankings).


      What folks miss: there is pretty substantial evidence that Kennedy, Johnson and Nixon all engaged in substantial fraud. Between that and corporate influence-the US political system is pretty sick.

  11. Oh god, it gets worse... by A+nonymous+Coward · · Score: 2, Interesting

    They will also be candidates. Now we're doomed!

    --
    Infuriate left and right
  12. Re:Too complicated... by waynemcdougall · · Score: 2, Interesting
    Paper recounts are not unreliable. That was not the problem in the last election in the United States.

    Paper recounts can be slow and tedious (relatively speaking) but will done under independent scruitineers AND observers from all parties with a vested interest in the best outcome for themselves (which cancels out, meaning everyone is watching to make sure no one else cheats). Often paper recounts are done twice (to verify the answer) - with actual paper ballots you can count them as often as required. In practice if you've got two machine tallies that agree (or disagree) and then do a paper recount and it agrees (or agrees with one or all three disagree) you can look at which is closest and whether it makes a difference to the result. So someone picks up two ballots by mistake leaving you with a 1 vote error (in total and for one candidate). We'd expect a 1 vote discrepancy from the machines. Since the votes are physically placed in piles according to the votes cast, it is easy to flick through and check that all the votes in one pile belong to the same candidate. If 1 vote makes a difference we can count again.

    The problem in America was two-fold:

    a) some of the ballots were illegally laid out according to Flordia state law (the butterfly ballot). This may have led some people to cast their vote for someone other than they intended. It's worth noting that all parties saw and approve the ballots before the election, and the same ballot layout was used in previous elections.

    b) they physical ballots in some places is made by a paper punch - in some cases the square of paper for a candidate hadn't been fully removed. In other cases an indentation had been made (weak wrists? or an elderly and infirm voter? changed their mind? or too many pieces of cardboard jammed in behind the punch?) And during each recount more and more cardboard pieces would fall out. :-(

    Neither of these is an issue with touch screens and computer printed ballots.

    I'm just saying separate the voting machine from the counting machine - have them check on each other - and keep a printed record you can go back to if the machines disagree (or someone doesn't trust both machines)

    --
    Recycle PCs and build a wireless community network www.hillsborough.org.nz
  13. Re:I'm sure he put lots of thought into it, by ralphbecket · · Score: 3, Interesting

    I never cease to be amazed at what is considered insightful on this forum.

    The *process* is very simple and completely automatic.

    The *reason* it works is *slightly* more complex, but is considerably easier to understand than, say, public key cryptography. This is not rocket science.

    Properties of the system:

    - it allows each voter to verify that their vote has been recorded;

    - it does not allow a voter, or anybody else involved, to prove which way they voted (i.e. voter anonymity is preserved throughout);

    - it includes an (automatic) auditing scheme that provides statistical near certainty (in the absence of *complete* collusion by the authorities) of detecting fifty or more instances of ballot rigging.

    It's elegant and simple and very easy to verify. Evidently, alas, the paper does not make this clear to everyone...

  14. Re:One question.... by mOdQuArK! · · Score: 2, Interesting
    After the election, you can go to a webpage and type in that number and it will tell you how that person voted. Thats allows the voter to veryify the results.

    (sigh) Classic mistake naively implementing a "voting verification" system. You don't want a voter to be able to prove how they voted. If you do that, historically it has been proven that voters will be encouraged (either through positive - money, gifts, etc - or negative - intimidation, beatings, etc - feedback) to vote particular ways, instead of their conscience. Every voter has to have plausible deniability.

    That's why real voting systems try to only verify that each ballot was from a unique voter, and that the reported counts of the election can be reconstructed from the individual ballots.