A Secure and Verifiable Voting System 346
meese writes "The cryptographer David Chaum, through discussion with top cryptographers such as Ron Rivest, has designed a secure and verifiable voting system. One of the goals of his design is that anyone can verify that votes were tabulated correctly. It's good to see real security/crypto people working on this problem. They also have a press release."
One question.... (Score:2, Insightful)
yes (Score:4, Funny)
Oh god, it gets worse... (Score:3, Interesting)
Re:One question.... (Score:2, Informative)
The only way I can think of to keep vote you made readable would be to take into the booth a bogus second layer and then hand it to the poll worker to shred--leaving your vote intact and readable.
Re:One question.... (Score:2)
You have a computer take the votes and print a reciept that is human readable that gets taken home. Along with that, it prints a very large random number.
After the election, you can go to a webpage and type in that number and it will tell you how that person voted. Thats allows the voter to veryify the results.
The second bit is that you need to be able to go to the same web page and ask for the 1st vote or the 12,232 vote. In fact you should be able to download all the votes (including the ra
Re:One question.... (Score:4, Insightful)
You can build secure systems on top of insecure components. See any encrypted internet protocol for an example.
Combination.. (Score:2, Insightful)
How much longer till they figure this out?
Re:Combination.. (Score:3, Funny)
They've figured out already.
Re:Combination.. (Score:2)
Re:Combination..--not quite (Score:3, Interesting)
prove they have an authentic receipt
audit the records
would also help quite a bit.
Now, even that still doesn't handle stuff like people voting twice. We'll still need to worry about stuff like folks using false/invalid ID and voting(which is pretty rare I would suspect, but give them time).
Re:Combination.. (Score:5, Interesting)
Re:Combination.. (Score:5, Insightful)
Re:Combination.. (Score:4, Insightful)
Re:Combination.. (Score:5, Insightful)
Re:Combination.. (Score:2)
Re:Combination.. (Score:3, Insightful)
A proprietary back-door hidden in object code and protected by DMCA is the alternative to the proposal of open source voting technology. Die Die Die -bold and ESS have demonstrated this in actuality.
Hiding algorithms does not improve cryptography - and revealing them does not weaken it.
Re:Combination.. (Score:5, Insightful)
You didn't read it right. You can't print out your throwaway half and see who you voted for. You can print out (from the website) a copy of the half you took with you, to confirm that your vote wasn't tampered with between you placing it and it getting to the central database or wherever. This sentence (from the article) confused me for a moment too, and I think you misunderstood it: "You would then be able to check for yourself that it has been posted correctly by, for instance, printing it out and overlaying the two and seeing that they are the same." They mean you can print out your half, not the other half that would reveal who you voted for.
The whole point of these fancy reciepts is that nobody can use your receipt to see who you voted for. They can only use your receipt to confirm your vote is on the site (and as such, that you voted).
(Mods should really mod the parent comment down as it's spreading a total misunderstanding of the concept).
Re:Combination.. (Score:5, Informative)
Re:Combination.. (Score:2)
Ditto, and wouldn't it be even better to record the votes on the ballots in plain english in an easily OCR-able font? Then the tabulator would only have to OCR the ballot and count the number of string occurrences. It takes advantage of technology, provides easy voter review without secret-looking barcodes (because the tabulator sees what you see), and it's even allows for write-in votes to be cast.
I penciled out a sketch of my idea in my journal - check it out if you want.
Re:Combination.. (Score:2, Interesting)
Okay I read the other half... Either I am being overly obtuse, or
Re:Combination.. (Score:2)
Re:Combination.. (Score:2, Offtopic)
[TMB]
Re:Combination.. (Score:2)
The only way for a voter to know that their vote was counted correctly is to have a receipt that matches a particular vote cast. Otherwise they don't really know anything.
Re:Combination.. (Score:2)
Did Flordia teach you nothing?
(is X + Y = Z a new
Nice idea (Score:2)
Simon
Re:Nice idea (Score:3, Interesting)
Your ballot can be checked to ensure that it is a valid vote. The pixelating XOR stuff he did is to ensure that, while your vote can be checked for validity, it cannot be checked to see who you voted for, except by the board of trustees, who have the other half of the vote and have no information about who you are.
Re:Nice idea (Score:2)
By "checking", he means "checking for validity". Not "finding out who you voted for".
[TMB]
David Chaum... (Score:5, Informative)
I just hope that if Chaum starts a company for his e-voting solution, it fares better than Digicash. IIRC, he wouldn't sell to M$ for $100M or to Visa for $40M, but ended up bankrupting Digicash and having to leave it. I'm not sure if I've got all the details right, so anyone's welcome to correct me.
I'm sure he put lots of thought into it, (Score:3, Insightful)
I vote (ha! get it?) that we just stick with paper and pen until we have more chance to discuss and develop alternatives. Just voting is key to any democracy, so tread lightly!
Re:I'm sure he put lots of thought into it, (Score:2, Insightful)
Print one human-readable receipt that you drop in the ballot box. There's still the problem of ensuring anonyimity and preventing ballot stuffing, but that could be solved pretty easily. Generate a list of random or even serial UIDs for each polling place, enough for all registered voters and a few extra for provisional ballots. Print the UID on bottom of the receipt with maybe a sleeve to hide everything but the UI
Re:I'm sure he put lots of thought into it, (Score:3, Insightful)
Yep. Independent verification that your vote is valid and was counted.
In terms of voting and counting votes it isn'y as complicated as it sounds.
1) Vote on a computer.
2) Computer prints receipt.
3) Select top or bottom from the computer screen.
4) Computer prints validation code.
5) Take receipt.
6) Give half that says "Give to poll personel" to poll personel for shredding.
7) Encrypted voting data transferred to counting location where keys are used to decrypt and count results.
8) Cele
Re:I'm sure he put lots of thought into it, (Score:2)
Except that all you are doing is comparing if two images are the same. That can be done by a machine.
Let blind people use printers that make black pixels raised so they can check by touch if they want...
Re:I'm sure he put lots of thought into it, (Score:2)
I vote (ha! get it?) that we just stick with paper and pen until we have more chance to discuss and develop alternatives
Ha! Got it. But how do I know that sticking with paper is what you really wrote? Ba-dump bump.
I appreciate the thought the author put into the idea, but why the need to make something as simple as a multiple-choice questionnaire into a massive computer technology festival anyway? Simple optical technology to quickly count such things has existed and been used by schools
Re:I'm sure he put lots of thought into it, (Score:4, Interesting)
The *process* is very simple and completely automatic.
The *reason* it works is *slightly* more complex, but is considerably easier to understand than, say, public key cryptography. This is not rocket science.
Properties of the system:
- it allows each voter to verify that their vote has been recorded;
- it does not allow a voter, or anybody else involved, to prove which way they voted (i.e. voter anonymity is preserved throughout);
- it includes an (automatic) auditing scheme that provides statistical near certainty (in the absence of *complete* collusion by the authorities) of detecting fifty or more instances of ballot rigging.
It's elegant and simple and very easy to verify. Evidently, alas, the paper does not make this clear to everyone...
Good, now step two (Score:2, Funny)
After all, if the choices are
1) Skynet takes over by force
2) Skynet takes over by vote
I, for one, prefer the vote method. Besides, could it really do any worse than the current leaders ?
Seriously, thought, we might want to turn the running of day-to-day things over to an artificial intelligence someday in the future, because it would be less prone to stupid mistakes and corruption than humans, and
Re:Good, now step two (Score:2)
"Hey B3-6J49, we just came up with this great idea about laying transitors down with DNA, and..."
"Oh. God."
"... Sorry?"
"Brain the size of a planet and he comes around talking about DNA. Don't talk to me about DNA."
"Hey, now, you can't talk to me like that, you're willess!"
"Don't remind me. Oh, looks like you've spilled some coffee on your sleeve, would you like me to design an fusion-powered orbital laser platform
Re:Good, now step two (Score:2)
Well, yes. Could it REALLY keep us entertained? [bushisms.com]
Has to be said... (Score:2)
1) Skynet takes over by force
2) Skynet takes over by vote
I, for one, prefer the vote method. Besides, could it really do any worse than the current leaders ?
Don't blame me, I voted for HAL-9000!
Cheers,
IT
Too bad.. (Score:4, Insightful)
Not acceptable (Score:4, Insightful)
Misses the point completely (Score:3, Interesting)
I haven't looked at the spec for this yet, but I have to believe that this cannot be the answer, simply because most people won't be able to understand how this system is any different than the (electronic) one it replaces.
More than anything else, voters have to be able to trust that their vote is being counted. And there will always be talk of powerful interests being given backdoors or being able to skew the results using exotic technologies like quantum cryptoanalysis.
The only sure way of a) having a legitimate election where b) everyone can know their vote was counted is by c) publishing all the votes.
Publish the votes. No batteries (cryptographic or otherwise) required.
Re:Misses the point completely (Score:2)
You could have a system where each ballot has a different random symbol on it and is given out w
Re:Misses the point completely (Score:2)
It's important that I be able to call you on the phone and confirm that the way you voted matches the way I see you've voted. This is so that we can prevent man-in-the-middle attacks.
Otherwise, a sophisticated adversary could accept your vote, and then when asked to confirm it, produce a record that confirms your vote, knowing that it is you who is requesting it. The vote that is actually registered
Re:Misses the point completely (Score:2)
Yeah, this is what everyone always says in response, but I think that if you think about it, it isn't as great a problem as it first might seem.
For instance, the AC who replied before you talks about the retribution one might face from the boss for voting "the wrong way." But if your boss is intimidating you into voting a certain way, then isn't he also intimidating all your co-workers into voting the sam
Re:Misses the point completely (Score:2)
Yup, I noticed. It's just that the intimidation argument is brought up a lot and I've mentally macro-keyed a response to it.
Say in your hypothetical that the boss doesn't ever say anything about it, but only ever lays off people who vote the other way. Then when questioned, all the voters could honestly say that they voted with the boss and that he didn't intimidate them.
But that would be a pattern that would eventually
Re:Misses the point completely (Score:2)
No. But the statistical analysis could serve as evidence, or even a red flag that prosecutors could use to investigate the matter more thoroughly.
If a pattern emerges where people who vote a certain way and are then fired, and some number of those people allege that they were fired because they didn't vote the way their employer dictated, then I think you have a pretty good case.
More importantly, the employer is effectively
Re:Misses the point completely (Score:2)
Why shouldn't you be able to sell your vote?
It's better than someone else selling your vote for you, isn't it?
How you arrive at this decision should be entirely up to you.
Re:Misses the point completely (Score:2)
Yeah, wait.
I'm curious though... how do you see the publishing of a vote as being any different than registering for a political party?
That said, I am reading the spec (again), and while I'm still not convinced that it is tamperproof, I do agree with you that the eye-candy aspect is going to be very appealing and is a nifty bit of thinking on the auth
Re:Misses the point completely (Score:2)
I think that's way, way off, but feel free to back it up with a link or two. 40%?!? I have to see that to believe it.
For two, I'm not registered as any party for exactly the reason you point out.
And you don't have to vote either. It's simple... if your station in life is such that you can't even cast what amounts to one out of a million votes without fear of reprisal
Designed by Cryptographers, not Committees! (Score:5, Funny)
Like, hey, who the hell does this Rivest guy think he is, and what (apart from this stupid "Ph.D" stuff in "Computer Science" or "Mathematics" or "Cryptography", such a small title he has) makes him think he's any smarter than Penelope Bonsall, who's got a way cooler title "Director of the Office of Election Administration at the Federal Election Commission".
Rivest's system is clearly unworkable. Where's the wining and dining of sales reps? Where's the backroom deals involving hookers and cocaine? Where's the vendor-lock-in? Where are the service contracts and extra government departments required to oversee them? Oh, sure, Rivest can lay the smack down on "where's the beef" when it comes to building a secure and verifiable electronic voting system, but where's the pork?
Re:Designed by Cryptographers, not Committees! (Score:2)
Between proprietary gadgets that are hard to verify, and the DMCA which makes it illegal to
Is a paper trail really that important? (Score:2)
The mechanical lever machines many of us use don't generate a paper trail either, and you don't see anyone all up in arms about that. Besides, how many people will really hold on to their paper ballot (slashdotters
Re:Is a paper trail really that important? (Score:2, Insightful)
Those machines with levers? They make paper trails.
Without this, the votes are ONLY digital. As such, any unauthorized access can, en-masse, change the only record of the votes. Paper cannot be changed nearly so easily, and especially not so secretly. It allows a recount if the machine count seems unreasonable.
It is genuinely an incred
Re:Is a paper trail really that important? (Score:2)
For a lever machine a similar sample would be to see if the card reading device, whatever it is, is reading the cards in the expected manner or is making errors or has been rigged, howev
but still (Score:3, Interesting)
Do it in New Hampshire. (Score:2)
Re:Do it in New Hampshire. (Score:2)
I think that majority votes are still necessary to win elections. No? What do you mean by "devious manipulation"?
How we'll REALLY know . . . (Score:5, Insightful)
US democracy struggle (Score:2, Funny)
Insert Coin
Too complicated... (Score:5, Insightful)
A touch screen voting booth that lets voters select the canidates they want.
After the voter casts their vote the booth prints out a ballot that's a machine readable scantron sheet.
The voter checks to make sure that the canidates they selected are recorded on the ballot and feeds it into a scantron reader. It's this machine that actually records the voter's vote.
This way not only do we get the benifit of a machine count but a paper trail to boot.
Re:Too complicated... (Score:2)
Re:Too complicated... (Score:2, Insightful)
Re:Too complicated... (Score:2)
The voting system must be provably fraud proof, as David Chaum is trying to do. Just because we all have used scantrons does not make them immune to fraud.
-- Bob
Re:Too complicated... (Score:2)
Re:Too complicated... (Score:2)
This proposal catches all of those potential problems and makes them visible, though not correctable.
Regards,
Ross
Re:Too complicated... (Score:3, Interesting)
Touchscreen records your ballot, prints it out for you to check, AND KEEPS COUNT ITSELF.
You feed your paper ballot into a scanning machine that keeps count. And post your paper ballot in a ballot box.
The touchscreen ballot generator and the scanner are produced by two entirely separate companies. Public specifications on the interface.
Now if the two machines disagree about the ballot count you do a paper recount (and find out which vendor stuffed up, and don't use them aga
Re:Too complicated... (Score:3, Interesting)
Paper recounts can be slow and tedious (relatively speaking) but will done under independent scruitineers AND observers from all parties with a vested interest in the best outcome for themselves (which cancels out, meaning everyone is watching to make sure no one else cheats). Often paper recounts are done twice (to verify the answer) - with actual paper ballots you can count them as often as required. I
Trustees hold secret keys and Patents Galore (Score:2)
If all the "trustees" co-operated, it seems information could leak. In todays age of FBI power, one must assume that all "trustees" are breakable.
I'm also a fan of simpler systems that are slightly more user understandable.
paper trail (Score:2, Insightful)
It will never work! (Score:2, Funny)
I've attended a David Chaum lecture (Score:5, Informative)
Read the paper, it's really jawdropping. Cryptography at its finest.
Re:I've attended a David Chaum lecture (Score:2, Insightful)
RTFA (Score:2, Interesting)
The problem is that if laymen can check that their votes were counted after the fact, it is possible to sell your vote and let a 3rd party check on this as well. Any design where you keep the recipet is flawed.
Laymen can check that their votes were counted correctly after the fact. However they can not check what their vote actually was, so a third party can't verify that the layman voted the way they wished.
This is accomplished by printing two receipts which combined form an image of the voters vote,
Still Lots of room for Fraud (Score:3, Informative)
Folks can' still vote multiple times if they get more than multiple registration cards. Dead people can still vote. Illegal aliens can still vote(i.e. someoen can get a drivers license with Mexican ID-and then get a voter registration card).
The main thing the Chaum proposal handles is fraud by a few people via voting machines. Fraud by election officials using lower tech mechanisms would be more difficult-but still possible.
Mathematicians don't think EVILLY enough (Score:4, Interesting)
The proposal allows a VOTER to verify that their vote was properly cast and recorded.
There is no protection for a candidate.
With physical ballots, a candidate can ask for a recount of those ballots.
As far as I can see, under this proposed system, you either accept the word of the computer, or you try and round up the anonymous (out-of-district or out of state) voters and ask them to please check their ballots.
Snowball I can vote with impunity. Indeed I can add as many votes to the machine record as I want - I can have the machine churning out thousands of votes per hour, shred both copies, and just make sure the legitimate votes are also included in the tally.
The proposal address completeness (all votes are recorded), accuracy (the votes are correctly recorded, or can be verified as having been so) BUT only by the voter - NOT the candidate who has to trust the machine or hope a voter picks up a fault.
Validity (only proper votes are cast) is not addressed. Unless I'm missing something.
Re:Mathematicians don't think EVILLY enough (Score:3, Interesting)
Much fraud is pretty low tech but involves manipulating lots of people. Basically many security mechanisms come down to the word of
Re:Mathematicians don't think EVILLY enough (Score:3, Insightful)
The auditing process provides statistical guarantees that (in the absence of complete collusion by the polling agents) (a) every ballot is counted, (b) no extra ballots have been inserted, and (c) no ballot has been tampered with.
Furthermore, all of this information is provided on the web. Each voter can check that their vote was recorded and anybody at all can check the final tally (the plaintext electronic ballot papers are also published, but they cannot be t
Printing Technology (Score:3, Insightful)
Incidentally, most of the alternative suggestions offered by slashdotters seem to compromise the secrecy of the ballot. Secrecy might not seem important to the average slashdotter, but it is important if your family will disappear when you get caught voting for the opposition.
Lacks common sense (Score:2)
a flaw? (Score:3, Interesting)
It seems that you are deprived of the ability to reproduce your vote outside the booth by seperating the information into two pieces either of which is illegible/useless by itself. However, with the cellular phones taking digital pictures nowadays, could you not essentially take both of them with you if you want?
If this is true then further security is needed to ensure that although you choose one of the two equally valid pieces, you cannot reach the other one at all. This, btw, can be done cryptographically.
Cryptography and the real world (Score:2)
As it happens I discussed Chaum's system just today [python-hosting.com] on the Voting-Project mailing list [python-hosting.com]. I guess I might as well quote myself:
Re: (Score:2)
Re:How about (Score:3, Funny)
Hmmm... Do you subscribe to the "Vote Early, Vote Often" theory? :)
I vote on Tuesday, personally...
Re:How about (Score:5, Funny)
The fogies in Fla missed voting correctly by about a 1/4 inch. You just missed voting correctly by 24 hours.
Re:This doesn't seem quite bulletproof enough... (Score:2)
all that it would mean is that the person that's selling their vote would have to give out their ssn.
Re:This doesn't seem quite bulletproof enough... (Score:4, Insightful)
Not a chance. First of all the SSN, even if it were as difficult to obtain as you suppose (hint: it's not), this wouldn't be of help in vote-selling, as the voter would cheerfully surrender his SSN if he wanted to get paid.
As for the rest, you're radically overestimating the number of permutations an election can typically have -- a dozen yes or no decisions and one or two candidates each for a handful of offices could be permuted by any cheap desktop PC in very short order.
Re:This doesn't seem quite bulletproof enough... (Score:2)
this system won't work (Score:2)
Now someone is proposing a solution
not decryptable -- it's an XOR (Score:4, Informative)
The single receipt cannot be decoded as you suggest -- each pixel is utterly random. There will be no pattern to detect, within the limits of pseudorandom numbers.
That works because the two receipts basically perform an XOR. Each pixel is either
XO or OX
OX XO
Call the first '1' and the second '0'. Then 0^0 = partially clear, and 1^1 = partially clear. 0^1 or 1^0 = fully black. When you're printing a pixel, then, you completely, utterly randomly select 1 or 0 for one receipt. You then print either the same, or the opposite, on the other. There is no pattern whatsoever from pixel to pixel, and once half the receipt is destroyed, it is quite impossible to read the other half.
The problem with the system you propose, by the way, is that anyone who had your SSN and MD5 hash could relatively quickly determine the choices you made just by trying all the combinations. If I was buying votes, I could tell you what choices to make, and then demand my money back if I couldn't reproduce your MD5.
Which is exactly what they *don't* want to achieve (Score:3, Insightful)
They do *not* want you to be able to verify how you voted, because then you might be *forced* to verify it. What they're trying to do is give you a recipt that you have delivered a valid vote, and that this vote can be verified as having been counted, without revealing for which candidate the vote was for.
The reason for this is simple - with manual counting, you need to involve a lot
Re:ARRRGGHHH!!! (Score:2)
With YRO posts about Voting and politics you think someone would come with with a politics website for slashdot readers. (No, not the EFF)
Re:ARRRGGHHH!!! (Score:2)
With YRO posts about Voting and politics you think someone would come with with a politics website for slashdot readers. "
Look! [rednet.org] Someone did!
(It's just a joke, mods, chill out
Re:Excellent (Score:2, Funny)
openvoting.org is a super nova of sunshine (Score:3, Interesting)
It publicly debuts in beta next month! And its open source and voter verifiable. Its on source forge right now if you want to look. see EVM2003 [sourceforge.net] or open voting [slashdot.org] By the way they still need more developers, testers and documentation writers. A
Re:openvoting.org is a super nova of sunshine (Score:2)
Sure trust electronic voting... (Score:2)
I pressed the button for the democrat, like 55% of all voters did, and somehow the republican won. But computers can't make mistakes and people who irresponsibly suggest that they could are just luddites!
Re:Is this really nessicary? (Score:3, Informative)
That said, there are many things that truly weren't broke about the last system that need to be preserved.
1. Your receipt should not include a way to find out how you voted. If your vote doesn't stay completely in the voting booth then some people will try to coerce your vote because they will be able to ask you to "prove" how you voted.
Re:Is this really necessary? (Score:2)
Re:The absolute fix (Score:3)
My idea is to conceal the polling places, so that only people who are willing to go to some effort can find them.
voter turnout (Score:2)