Re: Denying the Troops a Secret Ballot

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Sat Sep 04 2004 - 10:42:00 CDT

On Sep 4, 2004, at 5:44 AM, charlie strauss wrote:
> It seems to me that if there ever was a good case for
> VoteHere technology this would be it. My sense is that the risk to
> troops is not so much corruption of their vote but rather knwoing
> their vote was cast, counted and delivered secretly.

I think I see the main risk as the vendor (or other interested party)
selectively "losing" a lot of votes for one candidate. So indeed, a
VoteHere/Chaum type system gives assurances that a vote actually is

I think a simpler system would address the basic issue too. For this
suggestion you need the premise that two separate semi-trusted entities
don't share secrets: (1) Each voter completes an electronic ballot; (2)
EBI is encrypted with public key of Entity A; (3) Encrypted EBI is
signed by private key of individual voter (private key could be issued
at time of voting, of course, and emitted on a paper stub); (4) Entity
B receives the collection of signed/encrypted ballots and a list of
voters, and makes sure they match; (5) Entity B removes signatures from
all ballots, then transmits unsigned (but encrypted) ballots to Entity
A; (6) Entity A decrypts all the ballots and turns them over to the

Actually, Entity A can be two competing political Parties who share a
private key in advance of the election. Each Party can receive the
same encrypted ballot collection; and if they don't produce the same
decryption, you know someone is not being honest.

Entity B -could- delete ballots in transit, but B has no idea what
votes each encrypted ballot contains, so the fraud options are greatly
reduced. B knows that a voter cast a particular encrypted ballot, but
this does not disclose a secret, since the contents are not visible.

But VotHere has thought through these sorts of things. So I guess
they, indeed have an OK system. Well, except the "we pretend it's open
source, but if you see the code the NDA contaminates you" part. So who
really knows if their system is any good... if you know, you can't say.

Actually, though... I wouldn't even be so worried about the
non-cryptographic handling if it just had procedural transparency: let
elections monitors watch the steps; publish the protocols and source
code involved; etc. The secrecy is the real killer, even more than any
cryptographic flaws.
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Thu Sep 30 23:17:02 2004

This archive was generated by hypermail 2.1.8 : Thu Sep 30 2004 - 23:17:11 CDT