Re: Critical analysis of VoteHere

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Sat Dec 13 2003 - 01:10:58 CST

One possible flaw.
if for any reason the encryted vote mapping were made public at some
time in the future than your receipt could be checked by a hostile
person. This hypothetical threat might allow coercion since the voter
just has to fear that his receipt could be check.

On Dec 12, 2003, at 11:56 PM, charlie strauss wrote:

> Has there been a critical analysis of the VoteHere technology on this
> forum or published elsewhere? If so please point me to it so I dont
> waste your time.
> Assuming there has not been I'd like to start a discussion on VoteHere.
> the question is what are the problems with the VoteHere Scheme? So
> far I see two flaws but perhaps they can be remedied. It does add a
> layer of complexity but it may not be too bad since it does not
> require that every voter actually check their receipt just some.
> Here is a nutshell summary of how VoteHere Works for those that dont
> know.
> "receipts don't work or allow coercion".
> After selecting his votes on the touch screen the voter is presented
> with a final summary of his choices and a "cast ballot" button.
> But BEFORE the voter presses this button he is also given a paper
> receipt which shows his choices in an easy-to-read code. THe voter
> will take home the receipt, the vote is recorded electronically after
> being cast.
> When you were deciding who to vote for the ballot question looked like
> this:
> "who do you want for president?"
> Joe Blow (56)
> Sam Jones (63)
> Hilbert Holler (13)
> Your final summary on screen looks like this:
> Ballot ID: 5444321
> president: 56 joe blow
> senator: 32 jane doe
> ...
> The receipt does not show the names just the numbers
> Ballot ID: 5444321
> president: 56
> senator: 32
> Before pressing the "cast ballot" button, the voter can if he wants to
> verify the numbers on screen and receipt match.
> The clever part here is that the relationships between the numbers and
> the candidates names are different for every ballot. That for ballot
> 5444321, joe blow corresonded to the number 56, but on ballot 544321
> joe blow might correspond to, say 15.
> thus by not knowing how the mapping was randomly chosen, no one can
> know by looking at your receipt who you voted for.
> Now after the election is over, you decide you want to check your
> ballot. You call the 800 number and punch in your ballot Id and it
> gives you back the numbers and you can check them against your
> receipt. This way you know your ballot was counted as cast.
> the final ingredient is this. the actual mappings between candidate
> names and numbers for each ballot is known by the election officers is
> publicly published in an encrypted form before the election.
> --- that's mostly it---
> So lets work a scenarios:
> On the vote selection menu, the machine shows you that Joe Blow is
> 56 and sam Jones is 63 before you have voted, so it might seem that
> there would be no incentive at this point to swap the numbers. (more
> on this momentarily).
> At the summary screen, but before you cast the vote you can verify the
> receipt matches the number. And the machine cant change your number
> after your vote since it could get caught by your phone call later.
> So are there flaws. I can think of two, but maybe there are more.
> 1) suppose its known with virtual certainty that joe blow wil win.
> Then if the machines simply swaps sam and joes numbers right from the
> start then even though it does no know how an individual voter will
> vote, it will reveres all the results giving Joes win to Sam.
> Solutions: the mapping is also printed out on a separate receipt
> for the voter to check but not take home. THe mapping could be
> dropped in a box for later spot checking by election officials.
> 2) How can you prove your receipt is a valid one. The votehere sytem
> has the machine print a digital signature on the receipt to allow you
> to prove the receiot is real. But suppose that when it wants to
> change your vote it simply munges the digital signature so that you
> cant later prove its a real receipt.
> Solutions: well if a lot of munged receipts turn up you know
> something is wrong. But you could also simply pre-print all the
> receipts with a watermark and skip the digital signature.
> 3) one might complain that this code stuff causes headaches for the
> voter. But to work not every voter has to check every vote. Just
> some spot checking by some voters is all that is required.
> their solutions to ballot stuffing is to publish the voter rolls.
> comments?
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Wed Dec 31 23:17:09 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:18 CST