PIN/ballot-id for EVM voter activation

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Fri May 14 2004 - 14:13:01 CDT

> Was something like a one time use PIN number discussed?  Voters would
> generally be used to those.  I can see plenty of trouble with those as
> well.

One way to handle PIN numbers would be to have the initialization
routine for EVMs print out a list of PINs to activate that machine.
Well, maybe not the whole list of 10k numbers but just the initial 500
of them or so. These numbers would probably just be random, but
perhaps they would have some relation to the generated cryptographic
key(s). In order to avoid correlation with voted ballots, the PIN list
should differ from the ballot-id list.

When a voter walks to the check-in desk to state/prove her identity,
the poll worker would do several things. First would be the same as in
current systems, the poll worker would put an X next to the voter's
name in the registration books to indicate s/he had voted.

At this point (as I imagine the system I'm describing), a voter would
need to indicate which vote station s/he intends to vote at (probably
one that is currently unoccupied, but you can give the voter the
choice). The poll worker pull out the list of randomized-sequence
PINs, and tells the voter the last unused one, and strikes out that PIN
from the list. I guess the poll worker could write this number on a
slip of paper, if voters cannot remember a four digit number. If it
seems necessary, I guess the numbers could be printed onto perforated
sheets to allow tearing PIN strips.

When a voter goes to a machine, she enters the PIN number she was
given. If this number is the same as the next PIN the machine is ready
to accept, the voter proceeds. If not, something went wrong, and a
poll worker need to take remedial action. The EVMs might impose a
small delay between accepting PIN attempts--maybe 10 seconds. For a
voter who simply mistypes a key, this isn't a terrible wait; but for an
attacker who wants to try guessing PINs, this makes guessing infeasible
(the attacker needs an average of 5000 attempts to guess the PIN, or
about 13 hours). After the voter votes, the PIN she was given has no

Thinking about it, the list of PINs need not require all PINs are
distinct the way all ballot-ids are distinct. That is, if the PIN 3849
occurs in position 1 and position 435 on the PIN list, that's fine. In
fact, it's better because it doesn't let an attacker eliminate PINs
based on those prior voters used (but even if they get these, and PINs
are distinct, the attack is still remote).

In the above system, a poll worker needs to avoid exposing the
ballot-id list to voters--or at least the next few sequential PINs.
This might be done by slowly sliding the list out of a folder, or by
looking at it behind a small opaque partition (e.g. a few inch high
cardboard wall). That seems doable.
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon May 31 23:17:43 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT