Re: PIN/ballot-id for EVM voter activation

From: Arthur Keller <arthur_at_kellers_dot_org>
Date: Fri May 14 2004 - 17:08:53 CDT

At 3:13 PM -0400 5/14/04, David Mertz wrote:
>>Was something like a one time use PIN number discussed? Voters
>>would generally be used to those. I can see plenty of trouble with
>>those as well.
>One way to handle PIN numbers would be to have the initialization
>routine for EVMs print out a list of PINs to activate that machine.
>Well, maybe not the whole list of 10k numbers but just the initial
>500 of them or so. These numbers would probably just be random, but
>perhaps they would have some relation to the generated cryptographic
>key(s). In order to avoid correlation with voted ballots, the PIN
>list should differ from the ballot-id list.
>When a voter walks to the check-in desk to state/prove her identity,
>the poll worker would do several things. First would be the same as
>in current systems, the poll worker would put an X next to the
>voter's name in the registration books to indicate s/he had voted.
>At this point (as I imagine the system I'm describing), a voter
>would need to indicate which vote station s/he intends to vote at
>(probably one that is currently unoccupied, but you can give the
>voter the choice). The poll worker pull out the list of
>randomized-sequence PINs, and tells the voter the last unused one,
>and strikes out that PIN from the list. I guess the poll worker
>could write this number on a slip of paper, if voters cannot
>remember a four digit number. If it seems necessary, I guess the
>numbers could be printed onto perforated sheets to allow tearing PIN
>When a voter goes to a machine, she enters the PIN number she was
>given. If this number is the same as the next PIN the machine is
>ready to accept, the voter proceeds. If not, something went wrong,
>and a poll worker need to take remedial action. The EVMs might
>impose a small delay between accepting PIN attempts--maybe 10
>seconds. For a voter who simply mistypes a key, this isn't a
>terrible wait; but for an attacker who wants to try guessing PINs,
>this makes guessing infeasible (the attacker needs an average of
>5000 attempts to guess the PIN, or about 13 hours). After the voter
>votes, the PIN she was given has no significance.
>Thinking about it, the list of PINs need not require all PINs are
>distinct the way all ballot-ids are distinct. That is, if the PIN
>3849 occurs in position 1 and position 435 on the PIN list, that's
>fine. In fact, it's better because it doesn't let an attacker
>eliminate PINs based on those prior voters used (but even if they
>get these, and PINs are distinct, the attack is still remote).
>In the above system, a poll worker needs to avoid exposing the
>ballot-id list to voters--or at least the next few sequential PINs.
>This might be done by slowly sliding the list out of a folder, or by
>looking at it behind a small opaque partition (e.g. a few inch high
>cardboard wall). That seems doable.

That means that a PIN is for a particular voting machine, not just
any available machine. So you couldn't easily have a single queue
for all the machines *after* people sign in.

Second, the PIN number doesn't specify what ballot type (e.g., party
for primary, precinct for combined precinct polling place if the
ballot types differ).

Smart cards can fix both of these problems.

Best regards,

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Mon May 31 23:17:43 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT