On Wednesday, April 3, 2002, at 01:56 AM, Anthony Towns wrote:
> On Wed, Apr 03, 2002 at 12:16:18AM -0500, Anthony DeRobertis wrote: >> 2) No voter can vote for another person >> 3) No voter can be denied his vote > > These two can't be done absolutely without physical assurance -- > trivially, someone could steal another person's gpg key and vote for > them, and bury them in a shallow grave to ensure they don't tell anyone > about it. Yep. Someone could also embed an attack on PGP in one of the chips in the vote counting machine. This person would be a very well known C co-designer, of course ;-) > >> 7) No one can determine how another person voted > > This is obviously not adhered to -- the secretary and DSA > receive all the > votes as signed plaintext. No one other than the secretary, then. > >> 5) Each voter can verify the correctness of his vote >> 6) Every voter can verify the correct counting of the votes >> 8) No voter can prove to another person how he voted. > > These are probably mutually contradictory. They may be. If so, (8) is least important and can be dropped. > >> 9) Everyone can prove the rules were followed. > >> [ I really should grab Applied Crypto and make sure I didn't >> miss any ] > > Applied Crypto doesn't go into any detail at all on point (8), eg. No, it doesn't. It's probably not really a requirement to Debian. It is a requirement for larger groups (e.g., cities, counties, states, countries) to prevent the sale of votes. > >> All the shared keys schemes proposed so far have failed to >> follow 5 and 9, and perhaps others. The reason is that nothing >> stops the secretary from adding additional votes. > > The person whose vote was miscounted can demand the secretary > prove that > he voted the way the secretary claims he did. Correct. I made a mistake referencing the numbers. D'oh! >> You might think that (4) would be detected when the list was >> released, but it won't because there is no one to _deny_ that >> vote. > > Sure there is. Send a signed mail that says "I didn't vote." Who shall do that? Every member of Debian who did not vote? The verification procedure goes something like this, for each developer: Check list. Is my vote (identified by a shared cookie) on it? Is so, is it recorded correctly? Lastly, do I get the same results as the secretary when I tally the votes? It being a secret ballot and all, there is no way for me to match up a vote (other than my own, by knowledge of the shared cookie) with a specific developer. The cookies that the secretary made up happen to belong to no developer. But I don't (and can't) know that. Non-existent developers don't send signed messages stating they did not vote. However, with the help of the secretary, they do vote :-( > >> You might think that (5) would be detected, but it won't >> because that would require every debian developer --- all 900 of >> them --- the prove they either did or did not vote. > > ... of getting away with it (where p_a is the probability > of getting caught faking a vote for person a), Unless I've missed something, none of the proposed checks on the vote counter prevent him from casting votes from Mickey Mouse, George W. Bush, and Elvis Presly. The risk of the secretary being caught are no more than people questioning the high voter turnout [as a result of anonymous votes], and being able to find more developers asserting they did not vote than the tally shows. That risk is very low, especially since the number of votes needed to swing a close race is low. If Debian got 300 legitimate votes this election, and the secretary decided to add in another 50 votes, probably deciding the outcome of the election, could you find 550 developers to assert they did not vote? I very seriously doubt it. And without you presenting that evidence, the secretary would --- rightfully --- refuse to release the actual PGP-signed mails (which would prove his guilt) citing the Debian Constitution, which states the votes are private. Releasing the votes, he would argue, would violate that guarantee by making all the votes public. Even if you did present 550 developers stating they did not vote, and thus showing the count wrong, the secretary would still be proper in refusing to release the votes, on previously stated Constitutional grounds. However, that would no doubt be opposed by the majority of developers. >> The easiest solution is to make sure we can trust our vote counter. > > Pfft, where's the fun in that? Well, _Applied Cryptography_ (you actually got me to dig it up and open it) tells us how not to in Section 6.1, under "Improved Voting with a Single Central Facility." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
