Re: Printers Revisited

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Mon May 24 2004 - 14:59:23 CDT

On May 24, 2004, at 3:36 PM, Arthur Keller wrote:
> I thought about that, but rejected the idea because some unscrupulous
> official (or the voter!) could print another ballot on the other side.
> Then the ballot would have to be rejected, since you wouldn't know
> which one was the "correct" one.

This attack does not work!

Only a ballot printed on a real voting machine will have matching
cryptographic signatures. So under the hypothetical that an
unscrupulous official takes a stack of ballots to a printer in the back
room, and prints false votes on the backsides, the specific events can
be easily reconstructed from the lack of matching cryptography on
exactly one side of every two-sided ballot. Once voting machines are
closed out/finalized, the secret keys are erased from memory, and it is
mathematically infeasible to EVER sign a ballot again with matching
keys.

If you construe the attack as being that unscrupulous officials go to
actual voting machines to print the backs of submitted ballots, you
need a rather broad conspiracy. You need the attacker to have access
to the ballot box and initialized voting machines, either without
detection or with cooperation from the other poll workers. Given these
pre-conditions, a MUCH stronger attack is to simply stuff a ballot box
with false ballots that cannot be easily identified (and perhaps
destroy an equivalent number of true ballots). Unlike the
two-sided-print attack, this one does not cry out that fraud was
committed (the attacker can get away with it). The two-sided-print
attack makes it pretty darn obvious that tampering has taken place...
it may not enable a direct remedy, but it cannot escape notice, and
flag a need for remediation.

I'm still not FOR the ballot-stock system of party ballots, overall. I
continue to believe that my own per-voter PIN system is better (no need
for voters feeding paper into printers... and the
chocolate-covered-fingers vulnerability that Karl pointed out). But I
do not find the two-sided-print attack on the ballot-stock system at
all plausible.
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Mon May 31 23:18:02 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT