Fwd: Crypto question: Hashing ultimate output for local use

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Sun May 01 2005 - 23:05:35 CDT

> 1.  What is to keep some malefactor from generating a new hash
> signature after tampering with the program and posting it as the
> correct hash signature?  At the very least, it could be confusing.

The hash can be made very public, and via multiple channels. For
example, publish the correct software hash in both of the competing
local papers (one that endorses Republicans, one that endorses
Democrats) two weeks before the election; and also put a copy of the
identical hash on the county registrars website. And wherever else you
want. A tamperer would have to tamper with all these channels.
Advance publication allows the good guys plenty of time to make sure
the published hash is the correct one... yeah, I know, if it isn't,
what do we do? It's a question, but not an unanswerable one.

> 2.  I understand that the EVM will consists of at least two modules, a
> core and a front end with ballot design capabilities where election
> officials would enter the names of candidates and set the election
> parameters.  If the entire program is meant to run from one CD how
> would the ultimate morning of election hash signature be checked?

One technique is to hash the entire CD image. Every major operating
system ships with an implementation of MD5 built in. Plus there are a
number of Free Software implementations available. So anyone, with any
operating system, can stick the "EVMix" CD in their computer, and run
something like 'md5sum /dev/cdrom'. Then they hold their favorite
newspaper in one hand, and make sure the numbers published look like
the ones on screen.

The point is, we don't want anyone to trust just the verification
software we provided (since we might have tampered with *that* too).
The verification can be done with freely available and ubiquitous
pre-existing tools.

The above, however, is not strictly the only possible sequence. There
are also ways to hash more modular parts of the software toolchain.
And to use a public key infrastructure. And... But a master EVMix hash
is clean, easy to understand, and straightforward.

OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Tue May 31 23:17:10 2005

This archive was generated by hypermail 2.1.8 : Tue May 31 2005 - 23:17:52 CDT