Re: election: I wonder.....

From: hal@finney.org
Date: Thu Nov 09 2000 - 11:28:50 MST


There has been considerable work in the cryptographic community on
anonymous voting schemes. Most of them have some disadvantages, and
there are difficulties in marrying the cryptographic technology
to the real world of voters, registrars, county recorders and such.

I know a guy who works at votehere.net, one company which is promoting
a cryptographic voting system. They have some descriptions of the
technology at http://votehere.net/VH-Content-v2.0/gettingtechnical.html.
This is from http://votehere.net/VH-Content-v2.0/whitepapers/primer.html:

   The privacy of individually verifiable election systems [FOO92, PIK93,
   Cra96, Sch95] comes from blind signatures. Blind signatures [Cha81]
   are a class of digital signatures that allow a document to be signed
   without revealing its contents. An often used analogy is that of
   placing a document and a sheet of carbon paper inside an envelope. If
   somebody signs the outside of the envelope, the carbon paper transfers
   the signature to the document on the inside of the envelope. The
   signature remains on the document when removed from the envelope.

   Typically, a voter blinds and digitally signs his voted ballot and
   submits it to a verifying authority. The voted ballot also contains a
   unique serial number generated by the voter. Once the voter submits the
   blinded vote to the verifier, the verifier checks the voter's digital
   signature and voter eligibility. If all criteria are met, the verifier
   checks the voter off the voter roles, countersigns the voted ballot,
   and sends the blinded, countersigned ballot back to the voter.

   The voter removes the blinding encryption layer revealing the verifying
   authority's signature. Now that all voter specific information
   is removed from the ballot, the voter submits it to the tallying
   authority through an anonymous channel. An anonymous communications
   (e.g., onion routing) channel protects the message with multiple
   layers of encryption using randomly selected intermediate points (see
   [SGR] for a discussion of onion routing). The tallying authority
   authenticates the verifying authority's digital signature and adds
   the results to the tally.

The VoteHere system is actually quite a bit more sophisticated than
this, but even so there are problems. Some of these are shared with
any non-poll vote, like absentee ballots. For example, you can sell
your vote by letting someone watch you vote. There are also issues of
electronically authenticating voters and making sure they are eligible.
Many of the same old frauds will still work, such as padding the voter
lists with dead or imaginary voters.

There is some discussion of electronic voting in the
Risks digest at http://catless.ncl.ac.uk/Risks/21.11.html and
http://catless.ncl.ac.uk/Risks/21.10.html. One of the links from there
is to http://avirubin.com/e-voting.security.html, which emphasizes
the insecurity of home computer systems, bringing a risk of fraud and
manipulation.

Hal



This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 15:31:53 MST