Re: Barcode Redux

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Fri Jun 04 2004 - 14:24:35 CDT

On Jun 4, 2004, at 1:23 PM, charlie strauss wrote:
> techically an OCR system leaves the door open to steganograhy and
> hence the real possibility personal info could be encoded.

Adding a barcode doesn't prevent steganography in the watermark (nor in
microspaces between words, etc).

As I see it there are two issues that are largely orthogonal:

(1) Does the ballot give average voters the impression that something
shady is likely to be going on?

- I now think that using a barcode tends to give this impression.
Maybe really smart programmers are able to establish with reasonable
confidence that it actually doesn't contain covert channels, but
average voters don't necessarily buy this reliance on "just trust us."

(2) Are there REALLY any covert channels on a ballot?

- This one is tougher to guarantee (in the negative). A moderately
clever guy like me can think of dozens of ways to hide information in a
ballot. If I think only fleetingly, I can design it so average voters
won't notice it; if I ponder more deeply, I can design it so that even
expert cryptographers cannot easily find it.

The answer to this deeper question requires many things: source code
inspection; parallel testing; independent implementations of published
standards; statistical regressions of encoded info; and so on. It's
difficult to prove a negative, we only get there asymptotically.

Nonetheless, I think it is worth addressing issue #1, even if #2 is not
definitively answered.

> A bar code that is deliberately limited in its bit count can be
> reliably inspected by any reasonably skilled geek to determine if it
> could include more than required information.

Even an information-limited barcode can leak *some* information though.
  If the barcode includes one bit more than the globally optimal
encoding, it could answer the improper question "Is this voter a
registered Democrat?" If it includes two bits leeway, it could answer
the first question plus "Did this voter vote in the last election?" If
it includes maybe ten bits of padding it could identify which house in
the precinct the voter lives in.

Putting contests at bit boundaries, it should be noted, means the
encoding is not the globally optimal one. It requires cleverness to
conform to a basic encoding and still hide information, but some
mathematicians are very clever.

Moreover, as soon as we put in crypto codes, there's some more room for
leakage. For example, let's say we use a 64-bit RSA signature. It
might seem like that 64-bits is simply exactly what is needed for the
specified key. But key selection might not be truly random: for
example, I might choose primes selectively during key generation,
thereby leaking info by the pattern of my selection.

All that said, I'll push the slogan I made up before: You can fit fewer
dangerous things in a jewelry box than in a truck trailer!
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Jun 30 23:17:06 2004

This archive was generated by hypermail 2.1.8 : Wed Jun 30 2004 - 23:17:29 CDT