"Trei, Peter" <[EMAIL PROTECTED]> writes:I think Perry has hit it on the head, with the one exception that the voter should never have the receipt in his hand - that opens the way for serial voting fraud.
The receipt should be exposed to the voter behind glass, and when he/she presses the 'accept' button, it visibly drops into the sealed, opaque ballot box.
Seems fine by me, except I'd make the ballot box only lightly frosted -- enough that you can't read the contents, but light enough that poll inspectors can visually assure themselves that the contents aren't mysteriously altered during the course of the day.
I can see one potential problem with having the machine produce the receipts. Let's say the system is well designed and completely fair. There will be a certain percentage of voters who will complain that the receipt recorded the wrong vote because they in fact inadvertently pressed the wrong button. Over time, that percentage and its variance will become well known. Call that rate "r.' A party with the ability to make surreptitious changes to the voting software can then have it occasionally record a vote and print a receipt contrary to what the voter chose as long as the number of such bogus votes is small enough relative r and its variance to escape notice. They can then determine what fraction, f, of voters who get wrong receipts report them. They can then increase the fraction of bogus votes by 1/f. Over the course of several elections they can slowly grow the fraction of bogus votes, claiming that voters are getting sloppy. Since major elections are often decided by less than one percent of the vote, this attack can be significant.
We have a system now in Cambridge, Massachusetts where we are given a paper mark sense ballot and fill in little ovals, like those on standardized tests. We then carry our ballot to a machine that sucks it in and reads it. The totals are reported after the polls close, but the mark sense ballots are saved inside the machine (which I assume is inspected before the voting starts and then locked) can easily be recounted at any time. This system seems ideal to me.
By the way, I should mention that an important part of such a system is the principle that representatives from the candidates on each side get to oversee the entire process, assuring that the ballot boxes start empty and stay untampered with all day, and that no one tampers with the ballots as they're read. The inspectors also serve to assure that the clerks are properly checking who can and can't vote, and can do things like hand-recording the final counts from the readers, providing a check against the totals reported centrally.
The adversarial method does wonders for assuring that tampering is difficult at all stages of a voting system.
A important thing to remember is that these poll watchers, along with the workers running the voting for the election authorities are often retired people who have very little computer skills. It is much easier for them to understand and safeguard systems based on paper and mechanical locks.
Arnold Reinhold
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
