Re: PIN/ballot-id for EVM voter activation

From: Arthur Keller <arthur_at_kellers_dot_org>
Date: Sat May 15 2004 - 23:33:22 CDT

At 3:13 PM -0400 5/14/04, David Mertz wrote:
>>Was something like a one time use PIN number discussed? Voters
>>would generally be used to those. I can see plenty of trouble with
>>those as well.
>One way to handle PIN numbers would be to have the initialization
>routine for EVMs print out a list of PINs to activate that machine.
>Well, maybe not the whole list of 10k numbers but just the initial
>500 of them or so. These numbers would probably just be random, but
>perhaps they would have some relation to the generated cryptographic
>key(s). In order to avoid correlation with voted ballots, the PIN
>list should differ from the ballot-id list.
>When a voter walks to the check-in desk to state/prove her identity,
>the poll worker would do several things. First would be the same as
>in current systems, the poll worker would put an X next to the
>voter's name in the registration books to indicate s/he had voted.

In some jurisdictions, the voter signs in next to the voter's name.

>At this point (as I imagine the system I'm describing), a voter
>would need to indicate which vote station s/he intends to vote at
>(probably one that is currently unoccupied, but you can give the
>voter the choice).

What if there's a long line for voting machines and NONE are
unoccupied? What is the line for signing in moves faster than the
queues for voting machines? Why shouldn't I simply be able to take
the next machine available?

>The poll worker pull out the list of randomized-sequence PINs, and
>tells the voter the last unused one, and strikes out that PIN from
>the list. I guess the poll worker could write this number on a slip
>of paper, if voters cannot remember a four digit number. If it
>seems necessary, I guess the numbers could be printed onto
>perforated sheets to allow tearing PIN strips.
>When a voter goes to a machine, she enters the PIN number she was
>given. If this number is the same as the next PIN the machine is
>ready to accept, the voter proceeds. If not, something went wrong,
>and a poll worker need to take remedial action. The EVMs might
>impose a small delay between accepting PIN attempts--maybe 10
>seconds. For a voter who simply mistypes a key, this isn't a
>terrible wait; but for an attacker who wants to try guessing PINs,
>this makes guessing infeasible (the attacker needs an average of
>5000 attempts to guess the PIN, or about 13 hours). After the voter
>votes, the PIN she was given has no significance.
>Thinking about it, the list of PINs need not require all PINs are
>distinct the way all ballot-ids are distinct. That is, if the PIN
>3849 occurs in position 1 and position 435 on the PIN list, that's
>fine. In fact, it's better because it doesn't let an attacker
>eliminate PINs based on those prior voters used (but even if they
>get these, and PINs are distinct, the attack is still remote).
>In the above system, a poll worker needs to avoid exposing the
>ballot-id list to voters--or at least the next few sequential PINs.
>This might be done by slowly sliding the list out of a folder, or by
>looking at it behind a small opaque partition (e.g. a few inch high
>cardboard wall). That seems doable.

Avoiding exposing the ballot ID list can be a tricky thing. And if
someone votes sees two PINs and votes twice, when the next voter goes
to vote on that machine they can't. How do you fix it? Call a judge?

Best regards,

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Mon May 31 23:17:45 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT