Schneier On Self-Enforcing Protocols

Hollow Being writes "In an essay posted to Threatpost, Bruce Schneier makes the argument that self-enforcing protocols are better suited to security and problem-solving. From the article: 'Self-enforcing protocols are safer than other types because participants don't gain an advantage from cheating. Modern voting systems are rife with the potential for cheating, but an open show of hands in a room — one that everyone in the room can count for himself — is self-enforcing. On the other hand, there's no secret ballot, late voters are potentially subjected to coercion, and it doesn't scale well to large elections. But there are mathematical election protocols that have self-enforcing properties, and some cryptographers have suggested their use in elections.'"

You need trust

[sopssa]

Like everything else, both self-enforcing 'protocols' and someone in between, say paypal, rely on trust from people. It also relies on the fact that businesses will take a major hit when someone says something bad about them or if they fraud. This is exactly the same with laws. You cant enforce it, but you can make consequences for breaking laws bad enough so people dont want to break them.

In high school I was teached that every happy customer tells about their good experience to 3-4 people, but every unhappy customer tells about it to 20 people. It's a great advice. Once the bad word gets out, your sales are going to suck and you lose customers. This is also why you need the trust and good name with self-enforcing protocols if not using middle man like paypal.

This can also be seen on webmasters forums and the like. People have certain amount of trust points according to their past and who they've done business with. You can instantly see who is reliable and who you can do business with.

Problem without using third party is that you cannot get to that trust level as newcomer and that it takes time to work it. When there's someone trusted in the middle of the transaction, you have some guarantee that you wont be cheated (or lose your personal details etc to whatever kind of fraud). In this case the trustful middlehand is good.

So it only works if the other party is big enough. When voting, you rely on trusting the goverment (now this sentence is so gonna get some paranoid persons replying :). If not, you need a middle party that is big enough that you can trust them instead.

As a side note, this is why we still rely on banks and even on our cash - We trust that our money on our bank accounts will still be available to us, and that our $10 bills wont just suddenly become worthless.

Re:You need trust

[maxwell+demon]

Butt the spelling chequer tails me that theirs know miss take.

Re:You need trust

[Ann+Coulter]

Self-enforcing protocol participants do not require the level of trust that are required of impartial middle-men. One way of looking at self-enforcing protocols is to think of the protocol itself as serving the role of a middle-man. The protocol can be scrutinized more thoroughly than any self-serving middle-man and a higher level of trust can be placed on the protocol.

Re:You need trust

[cellurl]

We use AARP (essentially) as our Big-middle-party. They do a reasonable job. Kick out the machines and expand the role of these wonderful honorable people. Expand their role throughout voting, not just at the voting-desk, but in transferring the votes and publishing the results. I want to see an old couple announcing the winner to CNN.

Re:You need trust

[Dishevel]

The problems with the system itself are minor. The real problem is not the hardware but the system itself. It dose not matter who you vote for. The politicians are representing either big business and the rich or trial lawyers and unions. After they are done serving those masters they move on to what is important to them. Pointless junkets in G5s. Either way the people are meant to be screwed.

Re:You need trust

[nedlohs]

Please resubmit your comment in Swedish so we can make fun of your non-native language errors too.

Should be great since your English was worse than the post you were criticizing.

Re:You need trust

[eoin_tbo]

"Vere-a yuoo teeched tu vrute-a ingleesh tuu? Selff leemiting prutuculs ere-a useffool oonly fur smell scele-a sulooshuns vhee it is reesunebly pusseeble-a tu feleedete-a zee resoolts (ere-a yuoo gueeng tu be-a eble-a tu refeeoo zee futes ooff 1,000 ploos futers in a useffool teemescele-a) und vhere-a zeere-a is nu penelty tu hefeeng deceesiuns un ecturs deceesiuns beeeng poobleec knooledge-a."

I guess my comment came off an overly snarky and non-constructive (like all nitpicking comments are) and sorry for that.

It was more that it was a mistake in a sentence about what was learned in high school.
How do you know the original poster isn't a native speaker?

Re:You need trust

[maxwell+demon]

The politicians are representing either big business and the rich or trial lawyers and unions.

The problem is actually the American spelling. Since the American spelling of "cheque" is "check", the politicians simply misunderstand the term "checks and balances" (where "balance" is interpreted as "balance of the bank account", of course).

Re:You need trust

[SleepingWaterBear]

Self limiting protocols are useful only for small scale solutions when it is reasonably possible to validate the results (are you going to be able to review the votes of 1,000 plus voters in a useful timescale)

This idea seems to come out of nowhere and with no justification other than that the most naive possible method of scaling one particular protocol up doesn't work well. There is no fundamental reason that a well designed self enforcing protocol can't scale very well. As a simple example, let voters gather in groups of 100 or so and tally their votes. Then send someone to report the votes to a larger group (this can happen multiple times to allow for exponential scaling), and make sure the report is publicized (in a local newspaper or on a website designed for the purpose) so that voters can confirm the numbers were reported right. By spreading the work over many people no one person has to do an excessive amount of work, regardless of the number of voters.

Anonymity is a little trickier to do efficiently, but here's the first idea that comes to mind. Gather your 100 voters in a room with a vote count visible to everyone, and give each voter a private terminal. In a random order ask each voter to make a choice, then to confirm the updated count. Each voter will know his own vote was counted correctly. If 100 voters doesn't seem like enough to ensure anonymity you can use a larger group.

Obviously there are all sorts of flaws with the plans above, but with proper time to work through the details a workable plan of some sort exists. Just because you don't know a solution to a problem doesn't mean that someone actually willing to think can't come up with one.

Why?

[mets501]

After reading that, I was left with the feeling that I had no idea what I had read it for. Was it a call to arms? Was it a rant about our whole world? It seemed to offer more problems than solutions...

Re:Why?

[radtea]

It seemed to offer more problems than solutions...

The "problem" is that the system of American government is fundamentally broken due to partisan capture: the government represents the Party, not the people.

Unfortunately, the solution is not to be found in messing with the voting system, and certainly not my messing with it in ways that make it more complex. Most developed nations have very relatively simple, robust voting systems that have very plain, simple, paper ballots that may--but are not always--machine counted.

Only in America is the smoke-and-mirrors of electronic voting given so much press, which is just part of the huge machinery of distraction from the elephant in the room: the Party controls the government. That the Party has two wings that go under different names is another big distraction. It lets Americans believe they aren't living in a one party state, but has no other effect.

The solution, if there is one, is to systematically de-Partisanize the American voting system, starting by eliminating the ridiculous and unseemly involvement of the Party in voter registration, which should be handled by an arms-length public organization.

It will be extremely difficult for this to happen, but a campaign to make it happen, like the campaign against gerrymandering, would at least put the fact of Partisan unity front-and-centre in what passes for American political discourse.

Re:Why?

[dk90406]

It was merely an analysis and introduction to self enforcing protocols - protocols that make cheating difficult. Bruce often writes such pieces on security related matters. As a security expert, he covers all aspects: IT, civil, banking, etc. of security and the psychological mechanisms behind the perception of security and risk.
He publishes the newsletter CRYPTO-GRAM once a month, that contain some good pieces. You can subscribe if you wish.
And he is one of the few who, IMO, has the right take on the "security" upgrades done in the US / word after 9/11.

Yes, I admit it: I respect him, and have subscribed to the newsletter for years.

Re:Why?

[mets501]

Furthermore, your signature is asinine for several reasons, not the least of which is because you put the inequality going in the wrong direction.

Check out p-values. "p" in this case is not a regular probability. The equality is in the correct direction.

Re:Why?

[TerranFury]

The voting system determines the rules of the game. And it turns out that the game is structured such that large parties play it best. How can you destroy parties without changing the game? Theirs is evidently the equilibrium strategy.

Show of hands not self-enforcing

[Spazmania]

The show of hands is not self-enforcing precisely because a non-secret ballot is subject to coercion. People vote their peers instead of their conscience.

Selecting a security protocol that adversely alters the results is a common mistake among information security personnel.

Re:Show of hands not self-enforcing

[UnHolier+than+ever]

No, a show of hands *is* self-enforcing *but* not secret, and therefore subject to coercion, which is why it is rarely used. The article alluded to the fact that there may be a self-enforcing, secret protocol, without going into details of what it could be. If it exists, it would be a good idea to use it. It would also have been a good idea to include it in the article....

Re:Show of hands not self-enforcing

[maxwell+demon]

More elaborate methods of letting people see your choice without seeing you could also be used.

You mean like, making a cross on paper and putting that paper in a box, and then counting afterwards?

Re:Show of hands not self-enforcing

[NickFortune]

The show of hands is not self-enforcing precisely because a non-secret ballot is subject to coercion. People vote their peers instead of their conscience.

Right. But if there is a true self enforcing protocol we can use, then we'd be fools not to use it. That's the interesting thing here. Can't comment further than that because TFA is ever so slightly slashdotted at the moment.

Still, at the risk of covering the same ground as in TFA, maybe it's time to consider the secret ballot in terms of a security trade off. What good is voter anonymity if it's impossible to demonstrate that the electoral process is fair? You just swap one means of disenfranchising the public with another one. Moreover, with method that's way harder to catch and punish.

Maybe we need to look past "secret ballots are good" and focus on why we consider them to be good, and on whether that good is being preserved under current systems.

Re:Show of hands not self-enforcing

[nedlohs]

Because bringing in additional glow sticks is much harder than sneaking extra ballots into a ballot box.

Re:Show of hands not self-enforcing

[CaptainOfSpray]

Here's some experience of "show of hands" votng.

It was widely used in trade unions in England in the 50's and 60's, typically in public meetings of all the members in a workplace. I heard of it both from a carpenter in the ship-building industry, a family friend; and from other insider reports on meetings in the car-making industry in Oxford, where I lived for a while. According to my sources, these meetings were often used to pass strike decisions of considerable financial importance to the members, but (a) you attended these meetings with your workmates, who saw how you voted, and made life hell if you didn't vote the Right Way (b) the committee appointed tallymen to count the hands - they reported whatever counts the committee had told them to report.

The result was the destruction of British industrial firms by self-centered self-appointed little dictatorial union leaders who werealways interested in making trouble, regardless of their member's interests. Vote them out? How? The elections were by "show of hands".

So "show of hands" voting is wide open to abuse if there are more people present than can be viewed and instantly counted by those present, or where those present are unable to challenge the count effectively.

Errrr, your suggestion is.....?

[drdrgivemethenews]

What is the proposed self-enforcing voting protocol? With no suggestion made, what is the interest of this article to the slashdot community?

Re:Errrr, your suggestion is.....?

[Lord+Ender]

Regular readers of his blog would be aware of such methods. He regularly discusses papers and theories regarding security systems, including the security of voting machines.

Re:Errrr, your suggestion is.....?

[goodmanj]

It's more of a a teaching article, not a specific new proposal. Its goal is to describe an idea to people who're not familiar to it. Maybe you're an expert already, but I found it interesting.

Re:Errrr, your suggestion is.....?

[Otto]

What is the proposed self-enforcing voting protocol?

Everybody in the same room makes a mark on a ballot, folds it, puts it in a box with an open top, so all can see it is not subject to being rigged, but still not see the actual votes. At the end, the votes are upended on the floor and everybody looks at them, and can count them themselves.

Less subject to coercion than a show of hands, still not perfect. However, it is self-enforcing, since all can see the results.

There's other ways as well, but the point is that everybody needs to know how the system works and to be able to follow all the votes all the way through the system to the final count for it to be self-enforcing.

Voting needs to be transparent

[krappie]

Here is the solution to all voting problems.

Goals:
1. Confirm your vote is collected correctly.
2. Try to assure the people that no votes were added.
3. Don't hide results.
4. Keep votes anonymous.

Solution:
1. Keep a large public vote database.
2. Be able to Look up votes by voter id, county, polling location and time.
3. Keep large visible clock and voter count at each polling station. Every time a person goes into the voting room, the count goes up. Voter counts can be confirmed online. Maybe even in a graph over time.

The voter should be able to go online and see his own vote. Since every voter can see every vote counted up in every polling location in the country and know that everyone else can, they'll be assured of the results. If they're paranoid, they can watch their local polling station's voter count and confirm the published results don't have added votes.

Note: Maybe instead of voter id's, it should be a random confirmation code thats generated on the spot. That should be even more anonymous.

Problems: Some people actually vote for the wrong person on accident. That's unfortunate, but the solution isn't to hide it from them.
If vote online doesn't match your vote, have a dispute process. Keep track of dispute counts over time, for the public to see.

Maddison Warned about this

[cs668]

in the federalist papers:

http://www.constitution.org/fed/federa10.htm

They thought about it, but free speech trumped the elimination of political parties. Always floors me how much foresight they had.

Re:Bruce Schneier once decrypted a box of AlphaBit

[rjstanford]

And when your boss says, "By the way, if you vote for Dan, you get to keep your job - and I want to see your voting receipt to prove it, or out you go!"? That's one of the main reasons that we have private polling in the first place.

How about going back to the old ways - electronically generating, at the polling place, an anonymous, very clear, human-readable piece of paper describing your vote. Use machines to create as many as you want, one at a time, on special pieces of paper that are handed out either as you walk in the door and get IDd or upon the insertion of your previous one into a shredder. Once you're happy with it, it goes into the voting box which a) saves it, and b) scans it and records the data, unofficially (ie: the piece of paper wins in a recount).

Dead simple, totally private, and fully auditable. Plus, with an open standard, there could be different types of paper-generating-machines for people with different needs, no problem. No hanging chads, no huge expense, quick access to unofficial results and about as easy a recount procedure as you could ask for.

Finally, at the end of the day, do it the CA way and have the boxes opened up and tallied by hand for the major issue and a random selection of minor ones at each station. Anyone can watch, and any discrepancy over .1% of the total is assumed to be computer-tampering and triggers a full manual count for all issues at that station, and a more thorough audit to determine the source of the discrepancy.

related pet peeve

[circletimessquare]

voting systems should better reflect the people's actual will, by being a little more complex

you're never going to get the nuance of the people's will 100%, but you can do a lot better. for example: borda voting

http://en.wikipedia.org/wiki/Borda_count

just rank candidates in the order you like them. then, in a divisive election is an opportunity for everyone's second best choice to become the winner rather than partisan first choices, that one half of the population hates, barely edging out the other

now take as an example the disgusting 2000 presidential election: if people were allowed to merely rank candidates rather than be forced to pick one, who would have won? john mccain. however you think of him as a choice in the 2008 election, mccain was certainly a better choice than gore or bush in 2000, and the nation actually thought so. if the people were allowed to rank a list of candidates, his name would have come out as the number 2 choice of everyone, and he would have won. but the system worked against mccain. instead, various undemocratic closed door machinations led the republican party to choose monkey boy bush over the more deserving mccain, and so the democrats who would have ranked mccain second best never would have been able to register their approval of mccain over bush. borda voting does away with the whole party primary nonsense: democrats field 4 or 5 presidential candidates, republicans field 4 or 5 presidential candidates. and the voters merely rank them. then the voting system better reflects the nuances of public opinion, and allows for the candidate whom people really like to emerge. who should really lead the nation? by better reflecting the people's affinity or dislike. no more divisive partisan bullshit

another good system: approval voting

http://en.wikipedia.org/wiki/Approval_voting

easier to understand than borda voting with similar results: checkbox next to anyone you like. voting for no one and voting for everyone has the same effect. in between, are abilities to express approval and disapproval, and the winner is a simple tally of whomever gets the most votes

Re:related pet peeve

[the+phantom]

The system described above does tend to reflect the will of the people better. As an analogy, consider the GPA of a student. The current system is like only counting the As, i.e. you get credit for a class only if you get an A in that class. This is great for the students that always get As, but pretty much sucks for everyone else, and doesn't accurately reflect one's ability. The Borda system is more similar to the way that grades are actually averaged. You can be ranked on a scale from 0 to 4 (or 0 to 12 if you include pluses and minuses), which better reflects a student's ability.

To compare the two systems, consider the two following hypothetical students: student X took five classes last semester, got an A in one, and failed the other four; student Y also took five classes last semester, but got Bs in all of them. Under the first system, student X, who failed most of his classes, would still be ranked above student Y, because student X managed to get at least one A, whereas student Y did not. On the other hand, in the system we use, student Y would be ranked more highly.

A similarly brief overview of this idea (complete with this analogy) was published a while back by the AMS as part of their Mathematical Moments series. The relevant documents are near the bottom of the linked page, under the heading "Making Votes Count."

Re:Bruce Schneier once decrypted a box of AlphaBit

[dkleinsc]

Actually, the voting method you describe is more-or-less what optical-scan ballots are all about. While they aren't exactly "the old ways", they work extremely well, and give you an auditable vote in case of recount.

For instance, in the Franken-Coleman senatorial race, we had pieces of paper that could be gone through and understood. Yes, it took a really long time, yes, it produced votes for Lizard People, but the end result was something that independent observers could see as a correct reflection of the will of the people. With an electronic ballot, we wouldn't have had anything to recount, just a computer telling us a number.

how can early compromise

[circletimessquare]

result in a more mainstream choice? i am flabbergasted how such a conclusion could enter your mind

the 2000 election is an indisputable example of how the current system wound up choosing a president that was not mainstream. we got instead a cleavage of the country into left and right, with resentment and hatred festering

mccain was a better mainstream choice: his secondary appeal to democrats was much larger than his primary appeal to the right wing, which is what cost him the party's nomination. so if mccain was allowed to proceed to a final approval or borda vote, he would beat bush and gore on account of his much broader secondary appeal

meanwhile, our current system divides, it doesn't unite: it stokes the fires of partisanship, it cleaves the american people into two fiercely divided camps where the loudest most blind voices dominate

such voices would still exist if we voted borda or approval, but more moderate voices would come to dominate, simply because a different voting system rewards a different strategy and set of issues

partisan morons are tearing this country apart. we need less of them, not more of them, just look at the idiocy that dominates the discussion on healthcare right now. how do we get less partisans? we adopt a system which rewards them less. our current unideal system rewards partisan loudmouth bickering idiots, to tragic results

Re:First Post

[Anonymusing]

Maybe it's merely a self-fulfilling protocol?

Rivest to the rescue?

[dawnpatrol1623]

The article is interesting, but Schneier is not the first person to consider such questions. Last year (I think?), Ron Rivest gave a couple talks at my school on the subject of voting. One of them was about auditing, and the other was about using crypto to achieve safer e-voting. You can see something similar to what he said here: http://people.csail.mit.edu/rivest/RivestSmith-ThreeVotingProtocolsThreeBallotVAVAndTwin.pdf Some of the comments here have been arguing over the relative merits of verifiability and secrecy (as in having voting receipts or whatever). Cryptographic methods can be used to partly reconcile those ostensibly contradictory goals. Anyhows, have fun reading.

Re:Try authenticating before authorizing...

[the+phantom]

You can't check for fraud by groups like ACORN (ACORN falsely registered the entire starting lineup of the Dallas Cowboys in Nevada and has been indicted in 14+ states)

Please, stop spreading misinformation. ACORN itself has not even been charged with any wrongdoing, let alone convicted. Rather, contractors hired by ACORN to get voter registrations have been charged. Rather than a conspiracy to fraudulently register voters, it appears that several lazy contractors filled out forms in order to get paid without doing any work. It should be further noted that, in many states, it would be illegal for ACORN to discard suspicious registrations submitted by their workers---instead, they are required to pass them along to the state, which is the only entity with the authority to discard registrations (as for the reason, imagine if ACORN decided that only people registering as Democrats should be allowed to register---they could discard all registrations with the Republican box ticked, thus committing another kind of fraud). In short, it is evident that some voter registration fraud did occur, but that it was almost certainly the result of laziness on the part of workers, rather than an intentional effort to commit fraud on the part of ACORN. Never attribute to malice that which can more reasonably be attributed to laziness, incompetence, or stupidity.

http://www.factcheck.org/elections-2008/acorn_accusations.html