Re: Critical analysis of VoteHere

From: Arthur Keller <arthur_at_kellers_dot_org>
Date: Sat Dec 13 2003 - 09:22:28 CST

How does this scheme prevent the same receipt number being issued to
multiple people who vote *exactly* the same way, yet have the "extra"
vote you get by doing that now cast for someone else? The likelihood
that two people who vote hours apart will check their receipts
against each other is very small. If the receipt prints the time on
it, and the phone call replies with the time stamp, then this problem
can be remedied, since the second receipt number will have the wrong
time stamp.

Another problem with the scheme is that someone can demand your
receipt and using that find out exactly how you voted the same way
that you do.

That's the benefit of a voter-verified *ballot* that has to be handed
in for it to count. The voter can verify it is correct, and the
voter doesn't walk away with any receipt that displays the vote.


At 12:10 AM -0700 12/13/03, charlie strauss wrote:
>One possible flaw.
>if for any reason the encryted vote mapping were made public at some
>time in the future than your receipt could be checked by a hostile
>person. This hypothetical threat might allow coercion since the
>voter just has to fear that his receipt could be check.
>On Dec 12, 2003, at 11:56 PM, charlie strauss wrote:
>>Has there been a critical analysis of the VoteHere technology on
>>this forum or published elsewhere? If so please point me to it so
>>I dont waste your time.
>>Assuming there has not been I'd like to start a discussion on VoteHere.
>>the question is what are the problems with the VoteHere Scheme? So
>>far I see two flaws but perhaps they can be remedied. It does add
>>a layer of complexity but it may not be too bad since it does not
>>require that every voter actually check their receipt just some.
>>Here is a nutshell summary of how VoteHere Works for those that dont know.
>>THAT "receipts don't work or allow coercion".
>>After selecting his votes on the touch screen the voter is
>>presented with a final summary of his choices and a "cast ballot"
>>But BEFORE the voter presses this button he is also given a paper
>>receipt which shows his choices in an easy-to-read code. THe voter
>>will take home the receipt, the vote is recorded electronically
>>after being cast.
>>When you were deciding who to vote for the ballot question looked like this:
>>"who do you want for president?"
>>Joe Blow (56)
>>Sam Jones (63)
>>Hilbert Holler (13)
>>Your final summary on screen looks like this:
>>Ballot ID: 5444321
>>president: 56 joe blow
>>senator: 32 jane doe
>>The receipt does not show the names just the numbers
>>Ballot ID: 5444321
>>president: 56
>>senator: 32
>>Before pressing the "cast ballot" button, the voter can if he wants
>>to verify the numbers on screen and receipt match.
>>The clever part here is that the relationships between the numbers
>>and the candidates names are different for every ballot. That for
>>ballot 5444321, joe blow corresonded to the number 56, but on
>>ballot 544321 joe blow might correspond to, say 15.
>>thus by not knowing how the mapping was randomly chosen, no one
>>can know by looking at your receipt who you voted for.
>>Now after the election is over, you decide you want to check your
>>ballot. You call the 800 number and punch in your ballot Id and it
>>gives you back the numbers and you can check them against your
>>receipt. This way you know your ballot was counted as cast.
>>the final ingredient is this. the actual mappings between
>>candidate names and numbers for each ballot is known by the
>>election officers is publicly published in an encrypted form before
>>the election.
>>--- that's mostly it---
>>So lets work a scenarios:
>>On the vote selection menu, the machine shows you that Joe Blow
>>is 56 and sam Jones is 63 before you have voted, so it might seem
>>that there would be no incentive at this point to swap the numbers.
>>(more on this momentarily).
>>At the summary screen, but before you cast the vote you can verify
>>the receipt matches the number. And the machine cant change your
>>number after your vote since it could get caught by your phone call
>>So are there flaws. I can think of two, but maybe there are more.
>>1) suppose its known with virtual certainty that joe blow wil win.
>>Then if the machines simply swaps sam and joes numbers right from
>>the start then even though it does no know how an individual voter
>>will vote, it will reveres all the results giving Joes win to Sam.
>> Solutions: the mapping is also printed out on a separate
>>receipt for the voter to check but not take home. THe mapping
>>could be dropped in a box for later spot checking by election
>>2) How can you prove your receipt is a valid one. The votehere
>>sytem has the machine print a digital signature on the receipt to
>>allow you to prove the receiot is real. But suppose that when it
>>wants to change your vote it simply munges the digital signature so
>>that you cant later prove its a real receipt.
>> Solutions: well if a lot of munged receipts turn up you know
>>something is wrong. But you could also simply pre-print all the
>>receipts with a watermark and skip the digital signature.
>>3) one might complain that this code stuff causes headaches for the
>>voter. But to work not every voter has to check every vote. Just
>>some spot checking by some voters is all that is required.
>>their solutions to ballot stuffing is to publish the voter rolls.

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Wed Dec 31 23:17:10 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:19 CST