William Allen Simpson wrote:
> And in the same vein, I forwarded Ed Gerck's list of published
> 'requirements' to Lynn. She intends to use them as a perfect example
> of what we DO NOT want!
see below, before you set yourself to re-invent the wheel.
> Ed Gerck wrote:
> > 1. Sixteen requirements for voting. The requirements are technologically
> > neutral and can be applied to paper, electronic or Internet systems. There
> > is an extensive discussion of alternatives, before the requirements are
> > summarized. Available at http://www.thebell.net/archives/thebell1.7.pdf ,
> > page 3.
> >
> There are some requirements that are nearly identical to those that
> we've selected.
The 16 requirements include many that are either a recommended standard by the FEC
or are being considered for recommended standards. I did not re-invent the wheel.
> And I like the kudos to IETF, and open systems.
>
> However, the first half dozen are based on the bad presumption that:
>
> 1. Fail-safe voter privacy. Define: “voter privacy is the
> inability to know who the voter is.” Assure voter privacy
> even if everything fails and everyone colludes.
>
> First of all, that's not "privacy", that's "anonymity".
Just for you. See the technical papers in http://www.safevote.com/information.htm,
especially ftp://ftp.inf.ethz.ch/pub/publications/papers/ti/isc/wwwisc/HirSak00.pdf
and its references. See Gennaro's paper quoted at the end, as well.
Further, see also my posting here of Oct/99, in which I wrote:
The current useful voting properties as proposed by Fujioka,
Okamoto and Ohta, 1992, and Benaloh and Tuinstra, 1994, are:
1. Completeness: All valid votes are counted correctly, if all participants are honest.
2. Robustness: Dishonest voters, other participants or outsiders can't disturb or
disrupt
an election.
3. Privacy: The votes are casted anonymously.
4. Unreusability: Every voter can vote only once.
5. Eligibility: Only legitimate voters can vote.
6. Fairness: A voter casts his vote independently and is not influenced (e.g. by
publishing
intermediate results of the election, copying and casting of the encrypted vote slip of
another voter as his own vote).
7. Verifiability: The tally can not be forged, as it can be verified by every voter.
The
verifiability is locally, if a voter can only check if his own vote if counted
correctly. If
it is verifiable whether all votes are counted correctly, then the verifiability is
universally.
8. Receiptfreeness: A voter can't prove to a coercer, how he has voted. As a result,
verifiable vote buying is impossible.
> We have voter registration precisely so that we know who the voters
> are! We are not changing voter registration....
You are mixing apples with speedboats. The 16 requirements apply especifically to
voting, as it says. Of course, in voter registration the election officials must know
who
the voter is (and more -- where the voter lives, etc.).
BTW, there are other requirements being discussed especifically to voter registration,
and here privacy will also be a BIG issue. One that is being infringed today by
third-party
voter registration services that transfer the voter data to the state but keep copies,
which
copies they are legally allowed to share with their 'affiliates' (read: anyone that
signs a
contract with them).
> 4. Fail-safe privacy in universal verifiability. If the
> encrypted ballots are successfully attacked, even with
> court order, the voter’s name must not be revealed. In
> addition, the system must provide for “information-theoretic
> privacy” (i.e., privacy which cannot be broken
> by computation, even with unbounded time and
> resources) in contrast to systems that would only provide
> for “computational privacy” (i.e., privacy which could be
> broken by computation, given time and resources).
>
> I cannot believe any security analyst worth his salt could 'specify'
> such as requirement. When I specified computational infeasibility of
> 100 years, the Science staff came back and asked how NIST would test
> that? We reduced it to 10 years, something that might be achievable.
You are, again, mistaken. See the classical paper by Rosario Gennaro and others,
at http://www.research.ibm.com/security/election.ps BTW, this is their remark on
this (and, voter privacy):
Privacy of an individual vote is assured against any reasonably sized coalition of
parties (not
including the voter herself). That is, unless the number of colluding parties
exceeds a certain
threshold, different ballots are indistinguishable irrespective of the contained
votes. We say
that informationtheoretic privacy is achieved when the ballots are
indistinguishable indepen
dent of any cryptographic assumption; otherwise we will say that computational
privacy is
achieved.
BTW, my replies above might also indicate that the US election process would be much
improved if proper attention is given to what must not be "improved".
Cheers,
Ed Gerck
