Re: Voting Crypto Contest held by ES&S

From: Rick Carback <rick_dot_carback_at_gmail_dot_com>
Date: Wed Jul 25 2007 - 13:20:34 CDT

Let me try to save Ben some typing...

1) How to prove your vote:
> take a picture of the completed ballot with your cell-phone camera
> before it is shredded. Take home the completed ballot.
> i) It would be improbably that one could accidentally find two
> pieces that matched correctly tht specified another vote pattern so
> the picture is proof

Obviously, if you can somehow be in the booth, looking over the voter's
shoulder, you have a problem.. This isn't really any different.

2) Subverting the vote 1:
> If I have the keys I can decode the vote and know how you voted.
> i) if you can know how people voted it's not a secret ballot or
> even an open ballot. Only the privledged know how you voted. That
> alone is invaluable for vote suppression in future elections, and of
> course there's the whole bit about coercion.

It's a secret sharing scheme, so you need to coerce m out of the n election
trustees to do this.. Even then, it's a chore to track down who has what
receipt, or to have recorded that data beforehand without people noticing.
The receipts are somewhat pseudonymous so long as you aren't keeping a poll
book with "voter name" and "ballot id" right next to each other, which you
should not do. I find that to be reasonable protection, BUT, if you are
really, really paranoid about this happening, you could do a TWIN-like
protocol or instead/in addition to having 3rd parties get copies of all
receipts so that there's no reliance on voters to check them.

3) subverting the vote2:
> I may not even need to know the keys if I can manipulate
> things at the time the ballot pairs are generated in chaum's scheme.
> Chaum has two step were the labels on the candidates can be
> inverted. This is the encoding. If I were able to add one more
> completely random inversion in that pipeline, then I suspect I can
> alter the vote outcome, yet the keys will appear to be perfectly
> normal to all observers. And I won't even know what the keys are.
> i) the attack to change the election outcome is to only
> scramble the inversions in precints where my candidate is going to
> lose. If the pairs are radomized the election should head towards
> 50-50 and that meand my candidate picks up votes.

Alternatively, you could just find a way to have people not vote at all,
(which is what they do now). Anyhow, if you did something like that, it
would be caught rather quickly, since you commit to what things look like,
and then someone else asks you to reveal parts of that data. For each ballot
you did that, you'd have a 50/50 chance of getting caught, that's a less
than 1 percent chance of success for even 10 ballots (and the auditing
happens multiple times throughout the process, so it's even harder to pull
something like that off for even 1 ballot..).

4) subverting the vote3:
> If I have the keys then can't I forge a set of ballots that 1)
> match the recepits, 2) but change the votes?

Nope, see the previous.. the commitments are unconditionally secure and
happen before the election begins.

I'd avoid confusing complexity and transparency. The protocol is probably as
transparent as you can get (not only does the voter see what he did while he
was there is included, anyone can see that the public record of receipts
decode properly..). It is also complex, but I do not think it is that bad.
I'd estimate that the upper bound on full understanding for a high schooler
might take a couple days or a week of concentrated effort, but it's not out
of reach for most people willing to learn.

-Richard Carback

OVC-discuss mailing list

= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Tue Jul 31 23:17:06 2007

This archive was generated by hypermail 2.1.8 : Tue Jul 31 2007 - 23:17:08 CDT