Re: Firm invites experts to punch holes in ballot software
On Wed, Apr 07, 2004 at 03:42:47PM -0400, Ian Grigg wrote: Trei, Peter wrote: Frankly, the whole online-verification step seems like an unneccesary complication. It seems to me that the requirement for after-the-vote verification (to prove your vote was counted) clashes rather directly with the requirement to protect voters from coercion (I can't prove I voted in a particular way.) or other incentives-based attacks. You can have one, or the other, but not both, right? Suppose individual ballots weren't usable to verify a vote, but instead confirming data was distributed across 2-3 future ballot receipts such that all of them were needed to reconstruct another ballot's vote. It would then be possible to verify an election with reasonable confidence if a large number of ballot receipts were collected, but individual ballot receipts would be worthless. signature.asc Description: Digital signature
Re: Firm invites experts to punch holes in ballot software
Brian McGroarty wrote: On Wed, Apr 07, 2004 at 03:42:47PM -0400, Ian Grigg wrote: It seems to me that the requirement for after-the-vote verification (to prove your vote was counted) clashes rather directly with the requirement to protect voters from coercion (I can't prove I voted in a particular way.) or other incentives-based attacks. You can have one, or the other, but not both, right? Suppose individual ballots weren't usable to verify a vote, but instead confirming data was distributed across 2-3 future ballot receipts such that all of them were needed to reconstruct another ballot's vote. It would then be possible to verify an election with reasonable confidence if a large number of ballot receipts were collected, but individual ballot receipts would be worthless. If I'm happy to pervert the electoral process, then I'm quite happy to do it in busloads. In fact, this is a common approach, busses are paid for by a party candidate, the 1st stop is the polling booth, the 2nd stop is the party booth. In the west, this is done with old people's homes, so I hear. Now, one could say that we'd distribute the verifiability over a random set of pollees, but that would make the verification impractically expensive. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Firm invites experts to punch holes in ballot software
On 1081373018 seconds since the Beginning of the UNIX epoch Paul Zuefeldt wrote: Maybe the receipt should only allow the voter to check that his vote has been counted. To get the detail you could require him to appear in person with his receipt AND a photo ID or some such, then only allow him to view his detail -- not print it. I'd be slightly uncomfortable with this since the authorities should not have a mechanism by which they can discover for whom I voted. -- Roland Dowdeswell http://www.Imrryr.ORG/~elric/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Firm invites experts to punch holes in ballot software
Firm invites experts to punch holes in ballot software The company's software is designed to let voters verify that their ballots were properly handled. It assigns random identification numbers to ballots and candidates. After people vote, they get a receipt that shows which candidates they chose--listed as numbers, not names. Voters can then use the Internet and their ballot identification number to check that their votes were correctly counted. This is kind of broken. Allowing the voter to get a receipt which they take away with them for verification may allow the voter to verify that their vote was recorded as cast, but also allows coercion and vote buying. To their credit, the creators thought of this, and suggest a partial procedural fix in the threat analysis document: P4. Let voters discard verification receipts in poll site trash can and let any voter take them Result: Buyer/coercer can't be sure voter generated verification receipt P5. Have stacks of random printed codebooks freely available in poll site Result: Vote buyer/coercer can't be sure captured codebook was used P6. Have photos of on-screen codebooks freely available on-line Result: Vote buyer/coercer can't be sure captured codebook was used The first problem, or course, is that a person under threat of coercion will need to present the coercer with a receipt showing exactly the mix of votes the coercer required. This is leads to a combinatorial explosion of fake receipts that need to be available. Having only one vote on each receipt might mitigate this, but it still gets really messy. Second, it's not clear how this protects against the coercer checking the ballot online - will every fake also be recorded in the system, so it passes the online check? Having both real and fake ballots in the verification server makes me very nervous. Its possible I've missed something - this is based on a quick glance through the online documents, but I don't see any advantage this system has over the much more discussed one where the reciept is printed in a human readable way, shown to the voter, but retained inside the machine as a backup for recounts. Just my private, personal opinion. Peter Trei - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Firm invites experts to punch holes in ballot software
Trei, Peter wrote: Frankly, the whole online-verification step seems like an unneccesary complication. It seems to me that the requirement for after-the-vote verification (to prove your vote was counted) clashes rather directly with the requirement to protect voters from coercion (I can't prove I voted in a particular way.) or other incentives-based attacks. You can have one, or the other, but not both, right? It would seem that the former must give way to the latter, at least in political voting. I.e., no verification after the vote. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Firm invites experts to punch holes in ballot software
Ian Grigg[SMTP:[EMAIL PROTECTED] wrote: Trei, Peter wrote: Frankly, the whole online-verification step seems like an unneccesary complication. It seems to me that the requirement for after-the-vote verification (to prove your vote was counted) clashes rather directly with the requirement to protect voters from coercion (I can't prove I voted in a particular way.) or other incentives-based attacks. You can have one, or the other, but not both, right? It would seem that the former must give way to the latter, at least in political voting. I.e., no verification after the vote. iang Yes, that seems to be the case. Note that in the current (non computer) systems, we have no way to assure that our votes actually contributed to the total, but the procedural stuff of having mutually hostile observers to the counting process makes deliberate discarding of one side's votes less likely. (Non-deliberate losses - such as the recent failure to record cards marked with the wrong kind of pen - can still happen). VoteHere, while they seem to be well-meaning, have not solved the problem. Mercuri Rivest have described how to do it right; we just need someone to buld or retrofit the machines appropriately. Peter Trei - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Firm invites experts to punch holes in ballot software
Maybe the receipt should only allow the voter to check that his vote has been counted. To get the detail you could require him to appear in person with his receipt AND a photo ID or some such, then only allow him to view his detail -- not print it. Paul Zuefeldt - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 3:14 PM Subject: RE: Firm invites experts to punch holes in ballot software From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trei, Peter Sent: Wednesday, April 07, 2004 1:17 PM [SNIP] Frankly, the whole online-verification step seems like an unnecessary complication. Except to those of us who don't trust the system. Implemented correctly it could be cheap and complications could be hidden from the voter. It could be cheaper - no need to pay people to do an audit when the people will do it for you. You only need a small fraction of the people to verify their votes to get a high level of confidence that the election is valid. You only need one failure to cast doubt on the election. This requires an un-forgeable receipt that cannot be used for coercion. Un-forgeable we have been doing for a while now with lots of different PK options. A receipt that cannot be used for coercion cannot give any indication to others of who you voted for. Right now this is a big complication (at least to me - I don't know how to create such a receipt that doesn't require mental gymnastics on the part of the voter). -Michael Heyman - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]