RE: Re: Request for technical opinion on EBIs

From: John Payson <jpayson_at_circad_dot_com>
Date: Wed May 26 2004 - 17:29:08 CDT

For example, Charlie has proposed that a certain kind of back-reference
from ballots to prior ballots could help detect tampering or other
problems (this could be in either EBIs or on actual paper ballots).
He's right, in fact. But at first blush, that provides sequence
information about ballots. There may be a way to implement Charlie's
idea with suitable cryptographic masking, thereby preserving anonymity.
  Or there may not, details have not been proposed yet. I feel strongly
that our first attitude towards this kind of proposal should be
skepticism... but no so much so that we're not willing to accept
records that can be proven to maintain anonymity suitably.

Such backreferences would allow for auditing EBIs against physical ballots
via random sampling. In multi-race elections, the backreferences may (and
probably should) be handled separately for each race, but if backreferences
are included and suitable protocols for audits are in place, it would be
possible for any interested person to confirm the integrity of an election
seem like a **MAJOR** feature.

No matter how thoroughly-inspected code is, it can be very difficult to
ensure that the code which is actually being executed is in fact the
code which was approved. Against a determined adversary, such assurance can
be nearly impossible (since e.g. a USB CD-ROM drive might be tampered with
so its firmware would supply a 'fake' code image instead of the one on disk).
To the extent that software's operation can be confirmed for correctness by
auditing what it DOES, that would be much better than trying to audit what
the code "is".
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon May 31 23:18:07 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:17 CDT