electronically detecting tampering

From: Clay Lenhart <clay_at_lenharts_dot_net>
Date: Wed Nov 26 2003 - 12:27:14 CST

I wanted to put on the table what I think is the current best solution for electronically detecting if ballots have been tampered with, and its weaknesses. It is based on David's plan from a number of months ago, except that it uses public/private keys. Please make suggestions, because my feeling is that this is not good enough.

When the machine boots, it generates a public and private key pair. The private key cannot be extracted from the machine. A number of people, independent from the election administration, "publish" the public key so that we are fairly certain that we know which public keys are valid.

Each voter completes a ballot and the ballot is signed with the private key. The ballot has a unique ballot number that is included in the signature to detect duplication of signed ballots.

The ballots and the signatures are uploaded to a central location to count the ballots and verify the signatures. (I know I'm missing some steps, but this is more other people's area)

The ballots and signatures can be downloaded by anyone to verify the electronic signatures.

This scheme will detect if ballots have been updated, but it doesn't *electronically* detect inserts and deletes. As you know "delete + insert = update". If we can prevent inserts of ballots through some process, then the independent group of people can publish the number of voters for a location and this will detect deleted ballots. I.e. if the number of electronic ballots does not match the number of voters, then a percentage of ballots were deleted. There might be a process that can prevent inserts, but I would prefer to detect this electronically somehow, because I can be fairly certain about what happens eletronically, but I won't know if a process was obeyed.

However, since the private keys cannot be extracted from the machines, then someone would have to use the machines to create fake ballots. The insert problem seems somewhat contained.

Another concern: What if the software were modified so that it didn't generate new pub/priv keys, but used a preknown pub/priv key pair and this public key became one of the "valid" public keys? Is there a way to verify the software used at the time of the election, against its source code? Since python runs text files, this seems possible. Then the independent group of people would publish the source code at this time. This is probably a good idea in general b/c it makes the software auditable and we are certain about which code was used by the machines.

-Clay
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sun Nov 30 23:17:09 2003

This archive was generated by hypermail 2.1.8 : Sun Nov 30 2003 - 23:17:13 CST