Re: Critical analysis of VoteHere

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Sun Dec 14 2003 - 18:03:28 CST

On Dec 14, 2003, at 2:29 PM, Arthur Keller wrote:

> At 11:42 AM -0700 12/14/03, charlie strauss wrote:
>> On Dec 14, 2003, at 9:21 AM, Arthur Keller wrote:
>>> At 9:09 AM -0700 12/14/03, charlie strauss wrote:
>>>>> Another problem with the scheme is that someone can demand your
>>>>> receipt and using that find out exactly how you voted the same way
>>>>> that you do.
>>>> No this would not work. The mapping of names-to-numbers changes
>>>> for every ballot, that's the cleverness of their scheme but it
>>>> introduces a whole new problem of how you assure that the mapping
>>>> you are shown does not get switched. The Votehere descritpion of
>>>> how this is handled gets quite elaborate and I'm not perfectly
>>>> certain it succeeds. Any time someone tells you in detail about
>>>> the exponents in their crytoscheme before they give you the basic
>>>> flow of the method you should hang onto your wallet.
>>> The same way that *you* verify your ballot is the same way that
>>> someone else with your receipt can find out how you voted.
>> No you are not quite getting how the votehere scheme functions. Some
>> one with your ballot sees what you see: that you voted for "56" for
>> president. Only you and the central computer know that 56
>> corresponds to Joe Blow. When you call in to verify your ballot the
>> machine tells you that your vote was recorded for "56" like is says
>> on your receipt.
> And why can't someone else call in with your receipt, just like you
> can? There must be a way for the end-voter to verify what "56" meant
> for his/her own ballot.

No that's exactly the point. Not one including you can learn any more
than you voted for 56. There is no way for anyone besides the election
judges to know what 56 means. the connection between 56 and who you
voted for is revealed only to you at the time you place your vote and
its escrowed in encrypted format by the election computer at city hall.
    When you call in you are ONLY verifying that your vote made it to
city hall without modification. You are not checking to see if 56
means joe blow--thats taken care of by that escrowed mapping that city
hall has. At that point the only way your vote can be monkied with is
if the escrowed mapping got messed with. Which might be a danger or it
might not be; I'm not certian votehere's procedures are good enough.

One can however imagine that the mapping could get leaked some how.
its in the voting machines, the election judges have a book with it in
it, and its at city hall. I think you could get someone to leak a
copy. then the receipts could be connected to votes. Moreover, just
the threat to a leak might be sufficient for coercion (though not for
vote buying).

>> THus calling in only verifies that what you saw at the polls made it
>> all the way to city hall undistrurbed. So the real question with
>> this system is does city hall think that 56 corresponds to Joe Blow?
>> And that is why they have this (too) elaborate scheme of published
>> but encrypted mapping tables for maintaining the correspondence
>> between 56 and joe blow for your ballot number. THe quesition is
>> does their scheme succeed as described or are there holes.
>> In the case of both paper ballots and electronic ballots procedureal
>> methods and designated observers are used to ensure the vulnerable
>> points of the process. We are very comfortable with how to do this
>> with paper ballots. OVC is cool because it uses this plus some
>> additional checks. Votehere has a scheme too which might possibly
>> work but its not familiar and we have to look harder for holes in it.
> --
> -----------------------------------------------------------------------
> --------
> Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA 94303-4507
> tel +1(650)424-0202, fax +1(650)424-0424
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Wed Dec 31 23:17:12 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:19 CST