Re: Critical analysis of VoteHere

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Sun Dec 14 2003 - 10:09:03 CST

On Dec 13, 2003, at 8:22 AM, Arthur Keller wrote:

> How does this scheme prevent the same receipt number being issued to
> multiple people who vote *exactly* the same way, yet have the "extra"
> vote you get by doing that now cast for someone else?

I dont know how vothere would handle this threat. I would guess that
the ballot /receipt number is shown on screen before you vote. of
course an evil machine could switch your ballot number when it prints
out your ballot and hope you didn't notice.

> The likelihood that two people who vote hours apart will check their
> receipts against each other is very small. If the receipt prints the
> time on it, and the phone call replies with the time stamp, then this
> problem can be remedied, since the second receipt number will have the
> wrong time stamp.
>
> Another problem with the scheme is that someone can demand your
> receipt and using that find out exactly how you voted the same way
> that you do.

No this would not work. The mapping of names-to-numbers changes for
every ballot, that's the cleverness of their scheme but it introduces a
whole new problem of how you assure that the mapping you are shown does
not get switched. The Votehere descritpion of how this is handled gets
quite elaborate and I'm not perfectly certain it succeeds. Any time
someone tells you in detail about the exponents in their crytoscheme
before they give you the basic flow of the method you should hang onto
your wallet.

>
> That's the benefit of a voter-verified *ballot* that has to be handed
> in for it to count. The voter can verify it is correct, and the voter
> doesn't walk away with any receipt that displays the vote.

The votehere scheme also appears to be a voter verifeable system as
well. But it uses receipts not ballots. and the receipt does not
display the votes that any ordinary person can read. Paper ballot
schemes use well understood procedural methods for gaurenteeing that no
one changes the ballots. the vote here scheme introduces a different
less familiar procedural channel to maintain the mapping between your
receipt and the vote. Is this other method trustable is the essential
question being asked here.

>
> Arthur
>
> At 12:10 AM -0700 12/13/03, charlie strauss wrote:
>> One possible flaw.
>> if for any reason the encryted vote mapping were made public at some
>> time in the future than your receipt could be checked by a hostile
>> person. This hypothetical threat might allow coercion since the
>> voter just has to fear that his receipt could be check.
>>
>> On Dec 12, 2003, at 11:56 PM, charlie strauss wrote:
>>
>>> Has there been a critical analysis of the VoteHere technology on
>>> this forum or published elsewhere? If so please point me to it so I
>>> dont waste your time.
>>>
>>> Assuming there has not been I'd like to start a discussion on
>>> VoteHere.
>>>
>>> the question is what are the problems with the VoteHere Scheme? So
>>> far I see two flaws but perhaps they can be remedied. It does add a
>>> layer of complexity but it may not be too bad since it does not
>>> require that every voter actually check their receipt just some.
>>>
>>> Here is a nutshell summary of how VoteHere Works for those that dont
>>> know.
>>>
>>> PLEASE READ THIS ALL THE WAY THROUGH BEFORE YOU KNEE-JERK AND SAY
>>> THAT "receipts don't work or allow coercion".
>>>
>>> After selecting his votes on the touch screen the voter is presented
>>> with a final summary of his choices and a "cast ballot" button.
>>> But BEFORE the voter presses this button he is also given a paper
>>> receipt which shows his choices in an easy-to-read code. THe voter
>>> will take home the receipt, the vote is recorded electronically
>>> after being cast.
>>>
>>> When you were deciding who to vote for the ballot question looked
>>> like this:
>>> "who do you want for president?"
>>> Joe Blow (56)
>>> Sam Jones (63)
>>> Hilbert Holler (13)
>>>
>>> Your final summary on screen looks like this:
>>> Ballot ID: 5444321
>>> president: 56 joe blow
>>> senator: 32 jane doe
>>> ...
>>>
>>> The receipt does not show the names just the numbers
>>> Ballot ID: 5444321
>>> president: 56
>>> senator: 32
>>>
>>> Before pressing the "cast ballot" button, the voter can if he wants
>>> to verify the numbers on screen and receipt match.
>>>
>>> The clever part here is that the relationships between the numbers
>>> and the candidates names are different for every ballot. That for
>>> ballot 5444321, joe blow corresonded to the number 56, but on
>>> ballot 544321 joe blow might correspond to, say 15.
>>> thus by not knowing how the mapping was randomly chosen, no one can
>>> know by looking at your receipt who you voted for.
>>>
>>> Now after the election is over, you decide you want to check your
>>> ballot. You call the 800 number and punch in your ballot Id and it
>>> gives you back the numbers and you can check them against your
>>> receipt. This way you know your ballot was counted as cast.
>>>
>>> the final ingredient is this. the actual mappings between candidate
>>> names and numbers for each ballot is known by the election officers
>>> is publicly published in an encrypted form before the election.
>>>
>>> --- that's mostly it---
>>>
>>>
>>> So lets work a scenarios:
>>> On the vote selection menu, the machine shows you that Joe Blow is
>>> 56 and sam Jones is 63 before you have voted, so it might seem that
>>> there would be no incentive at this point to swap the numbers. (more
>>> on this momentarily).
>>> At the summary screen, but before you cast the vote you can verify
>>> the receipt matches the number. And the machine cant change your
>>> number after your vote since it could get caught by your phone call
>>> later.
>>>
>>>
>>> So are there flaws. I can think of two, but maybe there are more.
>>> 1) suppose its known with virtual certainty that joe blow wil win.
>>> Then if the machines simply swaps sam and joes numbers right from
>>> the start then even though it does no know how an individual voter
>>> will vote, it will reveres all the results giving Joes win to Sam.
>>> Solutions: the mapping is also printed out on a separate receipt
>>> for the voter to check but not take home. THe mapping could be
>>> dropped in a box for later spot checking by election officials.
>>>
>>> 2) How can you prove your receipt is a valid one. The votehere
>>> sytem has the machine print a digital signature on the receipt to
>>> allow you to prove the receiot is real. But suppose that when it
>>> wants to change your vote it simply munges the digital signature so
>>> that you cant later prove its a real receipt.
>>> Solutions: well if a lot of munged receipts turn up you know
>>> something is wrong. But you could also simply pre-print all the
>>> receipts with a watermark and skip the digital signature.
>>>
>>> 3) one might complain that this code stuff causes headaches for the
>>> voter. But to work not every voter has to check every vote. Just
>>> some spot checking by some voters is all that is required.
>>>
>>> their solutions to ballot stuffing is to publish the voter rolls.
>>>
>>> comments?
>
>
> --
> -----------------------------------------------------------------------
> --------
> Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA 94303-4507
> tel +1(650)424-0202, fax +1(650)424-0424
>
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Dec 31 23:17:11 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:19 CST