Re: Fwd: Possible breakthrough: Hand count + scan

From: Douglas W. Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Sun Jan 21 2007 - 13:26:29 CST

On Jan 19, 2007, at 7:26 PM, Kathy Dopp wrote:

> What does this group know and think about this voting system by Chaum?
> What would happen if there were ballot programming errors in the
> opscan system for instance, or are there more likely to be ballot
> programming errors?

Chaum's system boils away all the software issues from most of the
electronic voting arena and pushes the security of the system into
one well defined place -- the security of the codebook that relates
the hole assgnments of each ballot to the interpretation of markings
on that ballot.

It is absolutely essential that the codebook used to print the
ballots be absolutely unchanged at the time of the count. If someone
has a chance to examine the ballots (or the file of ballot images)
and then fix up a codebook to make those ballots count the right
way, all is lost. If the codebook leaks out so that vote buyers
know the codes, when given the ballot numbers, all is lost.

(In some versions of the system, the codes are random and you use a
codebook to relate candidate rotations to ballot numbers, in other
versions, you use an algorithm to generate the codes from the ballot
numbers based on cryptographic keys -- for that version, substitute
"cryptographic keys" for "codebook" and you get the same story.)

The Internet voting scheme used in the Dutch parliamentary elections,
RIES, has some very similar properties. There are several good papers
on REIS, except that they gloss over some of these details.

> And how could these ballots be "hand counted" as
> the forwarder of the email says they are?

Hand counting punchscan ballots would require sorting them by ballot
number and then printing out the codebook, so that, given a particular
ballot number, you could look it up in the codebook to find out how
to interpret the markings. In sum, it's be a real pain.

The punchscan system and RIES can be reduced to 100% open source form,
with fully open specs, such that anyone could independently write the
software needed to do a machine recount.

With both systems, though, the cornerstone of the secret ballot ends
up hiding in the security of the codebook. How do you convince
the public that no adversary could possibly have a copy of that
codebook to use in vote buying, and how do you convince the public,
at the same time, that the codebook used to print the ballots is
exactly the same as the one used to read the ballots.

                Doug Jones

OVC-discuss mailing list
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Tue Jan 1 14:12:46 2008

This archive was generated by hypermail 2.1.8 : Tue Jan 01 2008 - 14:12:51 CST