Re: Ballot Reconciliation Procedure

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Fri Nov 28 2003 - 10:59:42 CST

|How does an independent organization know that the votes arrived and
|were counted? It is possible that the ballots were swapped out with
|preprinted ballots and preburned CDs in route to the SOS office.

They know based on the per-machine signature keys (whether public-key as
Clay recommends, or disclosed-on-finalization private-key as I
recommended earlier). The random key information is unknown to a
potential ballot/CD forger, and the submitted CDs/ballots can be
compared to the widely published per-machine keys.

However, a man-in-the-middle attack seems possible still. The paper
ballots and the CDs are put in Mallory's delivery truck to take to the
central office. Mallory goes through the ballots, and burns all those
that vote for "Jones". Then Mallory reads the CDs, and burns new CDs
that contain only a subset of the records on the authentic CD (minus
Jones); however the signatures on each retained XML record is left

The precinct has a count that differs from that at the central office
(more Jones votes); but what the central office gets is self-consistent.
How to prove what Mallory did? One approach is to create an SHA/MD5
hash of the CDs at the precinct level, and send that by separate means
(e.g. publish it on the internet). Now Mallory cannot create a
self-consistent forgery of the precint CDs/ballots. But that's just a
first thought... and it starts to get complicated too quickly (given
poll workers must do the various steps right).

Yours, David...

    _/_/_/ THIS MESSAGE WAS BROUGHT TO YOU BY: Postmodern Enterprises _/_/_/
   _/_/    ~~~~~~~~~~~~~~~~~~~~[]~~~~~~~~~~~~~~~~~~~~~  _/_/
  _/_/  The opinions expressed here must be those of my employer...   _/_/
 _/_/_/_/_/_/_/_/_/_/ Surely you don't think that *I* believe them!  _/_/
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Sun Nov 30 23:17:11 2003

This archive was generated by hypermail 2.1.8 : Sun Nov 30 2003 - 23:17:13 CST