Re: Renewed anonymity concern in OVC design

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Thu Jul 08 2004 - 17:23:41 CDT

> I'm puzzled over david mertz suggestion of using hash of the ballot
> plus a seed as the UID. I dont think he solved his own proposed
> problem.
> First the original problem was that if you were forced to reveal your
> UID then a confederate with access to the paper ballots could fish
> your ballot out of the stack. The same is true of the Hashed UID. it
> is still a UID to your ballot regardless of how it is derived.

My idea was that the hash is NOT printed anywhere on the ballot, but
derived algorithmically from the content of the ballot (by the BRP
app). It is, of course, true that the hashing procedure would be
publicly documented (with free source code implementing it too). This
"UID" is only -implicitly- on the ballot, not encoded per se (as is
every other hash you might calculate, theoretically).

But my assumption is that humans cannot compute that hash in their
heads. Or at least a very small number of humans, not ordinary voters.
  Admittedly, it might be possible to carry in a handheld computer,
enter your votes, and know the hash from that. But that is still
outside the capability of most voters who might be bought/coerced. The
bad-guys cannot really demand an increased technical knowledge from
voters as part of their scheme.

If a seed was used, it would not be revealed as plain text either
(maybe in the barcode, if that is used). Basically, we don't want to
enable voters to reveal their hash/uid/ballot-id.

> voting again would solve Alans's issue. Not so. Under Dave's
> confederate scenario, the UID of the spoiled ballot will be missing
> from the stack if the UID is a hash of the (now changed) contents. And
> the Confederate will report this.

Actually, if we skip the seed (which I think is better), it is likely
that several matching ballots will exist. Whether one belongs to the
coerced voter, the bad-guys cannot tell.

But notice too that the hash depends on EVERY vote in the ballot. The
bad-guys need to demand specified votes in EVERY contest, not just the
one for Mayor Dechert. We have already identified insider attacks
involving "special" votes on whole ballots, so this does not really
introduce any extra danger.

> For obfuscation, I dont like the 20 digit approach, as that can be
> written down. Instead bury it in the barcode, or use klingon font;
> anything that most people could reasonably claim that they would not
> be able to write down successfully, and thus foil Mr knee breaker.

Indeed that is the main point. Something that a voter cannot
reasonably be expected to do by her coercers. Where, "I could not do
it" is a plausible retort.

The hash thing is really only used for giving filenames to the EBIs.
It might be fine to skip that entirely, and just give them random
names. Given the whole ballot collection, you'd need to search the
whole EBI collection to find if they matched. But that's not
computationally infeasible either: Take ballot 1, search all the EBIs
to find one that matches (maybe not unique); strike off one of each
from the list. If you go through the ballots and have not matched
some, or have not struck off every EBI, that's an audit problem. You
don't *need* unique IDs, at all, to make this happen.

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sat Jul 31 23:17:07 2004

This archive was generated by hypermail 2.1.8 : Sat Jul 31 2004 - 23:17:15 CDT