I assume the following are the goals of verifying a vote. I
believe these goals are justified:
1) No voter can vote twice
2) No voter can vote for another person
3) No voter can be denied his vote
4) No person not registered to vote may vote.
5) Each voter can verify the correctness of his vote
6) Every voter can verify the correct counting of the votes
7) No one can determine how another person voted
8) No voter can prove to another person how he voted.
9) Everyone can prove the rules were followed.
[ I really should grab Applied Crypto and make sure I didn't
miss any ]
All the shared keys schemes proposed so far have failed to
follow 5 and 9, and perhaps others. The reason is that nothing
stops the secretary from adding additional votes.
No one but the secretary knows the true number of votes
received. No one can prove that number. Should the secretary
wish to cheat, all he need to do is:
1) Generate whatever shared secret, hash, etc. proposed so far
2) Generate a vote to go with it
3) Tabulate that vote along with the legitimate ones
4) Add that shared secret to the list of votes
5) Lie about the number of votes received.
You might think that (4) would be detected when the list was
released, but it won't because there is no one to _deny_ that
vote. You might think that (5) would be detected, but it won't
because that would require every debian developer --- all 900 of
them --- the prove they either did or did not vote. They can do
no such thing, even if we could get them all to respond.
The easiest solution is to make sure we can trust our vote
counter. For other solutions, I will have to pull out Applied
Crypto.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
