Re: securing electronic ballots

From: Amit Sahai <sahai_at_CS_dot_Princeton_dot_EDU>
Date: Mon Nov 24 2003 - 09:50:46 CST


I have not yet had a chance to review the proposed security scheme in the
NSF proposal, but for sake of timeliness, let me add my thoughts to this

> |Publish the public keys when initializing the machines -- in case the
> |machine crashes. This way the ballots that are already signed will have
> |a cooresponding public key.
> This isn't a bad modification of my idea. That is, it COULD use public
> key cryptography, and disclose the public key at initialization. So the
> public key is published before any votes are casts. During the
> finalization procedure, the private key is permanently and irretrievably
> erased. Any valid ballot must match against the public key published at
> the beginning of the voting period (per voting machine).

Using public-key signature schemes is indeed far preferable to using
private-key crypto in this situation. Public keys have many advantages:

1) One can immediately assess the validity of any ballot.

2) (Assuming the private key is destroyed) There is no risk of an
adversary being able to produce false ballots at any time, including
after the election.

> P.S. In any case, even I admit the cryptography is somewhat secondary.
> In the case of a challenge, we will have the voter verified paper
> ballots to allow a recount. No matter how corrupted the electronic
> files may become (through software error or malice), the paper is still
> there. I don't mind--in fact, I quite advocate--additional
> cryptographic checks in the process. But the paper is the ultimate
> guarantor.

This is a dangerous point of view. Having paper ballot printouts doesn't
address the issue of ballot-stuffing, among others. We should aim for a
system that is MORE secure than the current system, not merely as secure.

Prof. Amit Sahai
Department of Computer Science
Princeton University
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sun Nov 30 23:17:07 2003

This archive was generated by hypermail 2.1.8 : Sun Nov 30 2003 - 23:17:13 CST