securing electronic ballots

From: Clay Lenhart <clay_at_lenharts_dot_net>
Date: Sun Nov 23 2003 - 22:01:06 CST

Axioms for securing electronic ballots:

People who have access to the private signing keys cannot have access to
the electronic ballots before the ballots are published.

and

The people who publish the public signing keys used in the election
cannot be the people who publish the ballots.

Otherwise they can alter the election. In the first case, they can sign
bogus ballots with the private keys they are holding, and in the second
case, they can create bogus keys and sign bogus ballots.

David's plan
(http://gnosis.python-hosting.com/voting-project/initial-digests/0109.html) could break #2, unless there is a independent organization reading the key fingerprint from the machines.

To address this, representatives from the various political parties on
the ballot could "publish" (verify) the public keys on each machine.
They would verify that the SOS office publishes the right set of public
keys with the signed ballots.

I would add two minor changes to it:
Never release the private keys. Otherwise the ballots could be forged
between when the private keys are extracted and the ballots are
published. Extracting the private key is a risk that is not necessary
to take.

Publish the public keys when initializing the machines -- in case the
machine crashes. This way the ballots that are already signed will have
a cooresponding public key.

What should we do about the potential of deleting ballots?

-Clay

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sun Nov 30 23:17:06 2003

This archive was generated by hypermail 2.1.8 : Sun Nov 30 2003 - 23:17:13 CST