[ale] OT: Electronic Voting in GA

Charles Shapiro cshapiro at nubridges.com
Fri Oct 31 09:27:54 EST 2003


Uh, you wanna buy my vote? Worse, you want to threaten me to vote a
certain way?

In addition to making a vote verifiable by the voter, you must also make
it impossible for anyone else to verify the ballot after it is cast,
even with the cooperation of the voter.

A paper tape with a vote printout behind glass on a voting  machine, for
example, fulfills much of this purpose.  Keys or records a voter carries
out of the voting booth are not acceptable.  

Voting systems which are not independently auditable and which contain
nothing but electronic records are also not acceptable. Voting systems
whose "printed  records" consist of a printout of electronic records
created after voting has taken place are not acceptable. 

I will not be voting November 4.

-- CHS

On Fri, 2003-10-31 at 00:46, Joe Knapka wrote:
> "Michael D. Hirsch" <mhirsch at nubridges.com> writes:
> 
> > On Tuesday 28 October 2003 02:12 pm, Jeff Hubbs wrote:
> 
> [scissors of brevity]
> 
> > > Say all you want about quantum cryptography, but how to you keep it or any
> > > other mechanism from being perverted or subverted?
> > 
> > Hell if I know.  Voting mechanisms have so many possible failure points that 
> > the security of the transmission is probably the part I worry about least.  
> > Given the insecurities of recording the proper vote initially, insecure 
> > storage mechanisms, no audit trail, etc, why would anyone bother trying to 
> > crack the transmission security?
> 
> The point of secure voting protocols is not (merely) transmission
> security. Rather, it is to make the voting process:
> 
> (1) Incorruptible, in that the vote counts cannot be manipulated,
> even by an "insider", without that manipulation being obvious, and
> 
> (2) Transparent, in that the voter can positively verify that
> his vote was properly tabulated.
> 
> In this regard, the use of PKC in secure voting protocols is not (or
> not only) to obscure the content of the messages being passed among
> the various entities involved in the voting process. Instead, it is to
> insert "tags" into the data stream that enable the data to be tracked
> and verified at every stage. For example, one step of a secure voting
> protocol might be to take the cleartext of one's vote and append to it
> a hash value derived by applying some one-way function to the vote
> data and one's private key, then pass that cleartext data and the hash
> along to the vote-counting authority. If that hash value doesn't turn
> up in some form among the tabulated vote data, that constitutes
> evidence that one's vote was maliciously altered. The point of that
> application of a PKC technique isn't to make one's vote hard to read;
> rather it's to make it possible to verify that one's vote was counted
> properly.
> 
> If you read some of the literature about this subject (and again, the
> relevant sections of Schneier's "Applied Cryptography" are very good),
> you'll find that even in the presence of a potentially "corrupt"
> infrastructure, it's still possible to build a voting system that's
> provably secure and transparent *in principle* -- ASSUMING that the
> cryptographic techniques employed are really as secure as they are
> believed to be. Naturally, that assumption may be wrong, in the
> absence of formal proofs of correctness; nonetheless, such a system
> would be far better than the fecal matter Deibold is promulgating.
> 
> Cheers,
> 
> -- Joe Knapka
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



More information about the Ale mailing list