Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security United States Your Rights Online

A Secure and Verifiable Voting System 346

meese writes "The cryptographer David Chaum, through discussion with top cryptographers such as Ron Rivest, has designed a secure and verifiable voting system. One of the goals of his design is that anyone can verify that votes were tabulated correctly. It's good to see real security/crypto people working on this problem. They also have a press release."
This discussion has been archived. No new comments can be posted.

A Secure and Verifiable Voting System

Comments Filter:
  • One question.... (Score:2, Insightful)

    by Kenja ( 541830 )
    Will there be people involved at any point? If so then its not secure, however it may be verifiable.
    • yes (Score:4, Funny)

      by commodoresloat ( 172735 ) on Tuesday November 25, 2003 @07:22PM (#7564008)
      presumably, they will be doing the voting.
    • Re:One question.... (Score:2, Informative)

      by gumbi west ( 610122 )
      You may care to read the article, but they actually appear to have found a secure and verifable way of voting. In fact, the best objection to it would be that it is either too verifiable (i.e. you can decript its result after voting to a third party) or not verifiable (i.e. try to verify a 1024 bit encripted key).

      The only way I can think of to keep vote you made readable would be to take into the booth a bogus second layer and then hand it to the poll worker to shred--leaving your vote intact and readable.

      • Its simple.
        You have a computer take the votes and print a reciept that is human readable that gets taken home. Along with that, it prints a very large random number.
        After the election, you can go to a webpage and type in that number and it will tell you how that person voted. Thats allows the voter to veryify the results.

        The second bit is that you need to be able to go to the same web page and ask for the 1st vote or the 12,232 vote. In fact you should be able to download all the votes (including the ra
    • by egarland ( 120202 ) on Wednesday November 26, 2003 @01:22AM (#7566361)
      Someone please mod this down as overrated!!!

      You can build secure systems on top of insecure components. See any encrypted internet protocol for an example.
  • Combination.. (Score:2, Insightful)

    Open source + Paper trail = secure voting.

    How much longer till they figure this out?
    • by Anonymous Coward
      Closed source + Paper green = secure voting.

      They've figured out already.
    • There are still quite a few low tech means of commiting vote fraud. IMHO open source and a paper trail are decent steps-but hard encryption so that anyone with a receipt can :

      prove they have an authentic receipt

      audit the records

      would also help quite a bit.

      Now, even that still doesn't handle stuff like people voting twice. We'll still need to worry about stuff like folks using false/invalid ID and voting(which is pretty rare I would suspect, but give them time).

    • Re:Combination.. (Score:5, Interesting)

      by Anonymous Coward on Tuesday November 25, 2003 @06:22PM (#7563473)
      It's not as simple as that. To prevent vote-selling, it can't be possible to someone to walk out the door with proof that they voted for a certain person. The press release gets further into these details; describing a convoluted two-piece receipt system.
    • Re:Combination.. (Score:5, Insightful)

      by cjgross ( 562821 ) on Tuesday November 25, 2003 @06:32PM (#7563554) Homepage Journal
      In order to be verifiable, you need the paper output. If they voting machines would generate a unique paper output from each machine as a backup, votes could be recounted and audited. Each paper ballot could be encrypted and stored in 2D electronic barcode. It would be easy to scan and verify and data could not be altered without invalidating the crc's. Electronic voting will never be stand alone until we have a valid way to audit the results. cjg
      • Re:Combination.. (Score:4, Insightful)

        by cfradenburg ( 592693 ) on Tuesday November 25, 2003 @09:52PM (#7565188)
        While the barcode is a good idea, in my opinion the main advantage to having a paper printout is so that the voter can visually verify that their vote is correct. Due to the fact that the main issue here is votes getting recorded correctly confirmation on the screen isn't enough. A barcode isn't good enough for that unless it's easy to read (have a sheet with what each code matches for example.) While we're at it, why do electronic voting at all if they need to be verified with counting? If the paper is just there in case someone disputes the results that's one thing but if it will be counted to verify anyway it's not worth doing electronic voting. The other issue with a printout is voter privacy. This isn't as large with the groups I hang out with but to others it may be a very big deal. This means that every page or section of a page that records a vote on paper must be hidden before the next voter enters. Not something that's hard but it needs to be considered.
    • Re:Combination.. (Score:5, Insightful)

      by Anonymous Coward on Tuesday November 25, 2003 @06:35PM (#7563578)
      Me again from VoteHere [votehere.net], open source is fine if it is all you have, but it is far better to have an auditable data trail. Remember, that computers like the ones in most voting machines are "general purpose computing devices" so it is difficult to know exactly what code is running on them. Opening the source will help you be sure that there somewhere exists good software that if you ran it in the voting machines would lead to an accurate election, but it does not give any confidence that the machine actually was running that software, and only that software. Paper makes for a fine audit trail if you have nothing better, but ask anyone who voted in Chicago in the last century how well it does by itself to prevent election fraud. It is far better to extend the auditable portion of the data all the way through the election process to tabulation so that anyone could verify that the final count did in fact match the populous' intent.
  • Sounds like a good idea to me - similar to public-key cryptography applied to the voting process, but with the decoding possible from two places...

    Simon
  • David Chaum... (Score:5, Informative)

    by Stile 65 ( 722451 ) on Tuesday November 25, 2003 @06:08PM (#7563348) Homepage Journal
    ...is an awesome mathematician/cryptographer. I'm working on a project (on SourceForge, but it's not nearly far enough along for me to announce anything on /. yet) based on his digital cash system, and some other things he's done. Yes, I know it's patented, but it's really meant as a proof-of-concept type deal.

    I just hope that if Chaum starts a company for his e-voting solution, it fares better than Digicash. IIRC, he wouldn't sell to M$ for $100M or to Visa for $40M, but ended up bankrupting Digicash and having to leave it. I'm not sure if I've got all the details right, so anyone's welcome to correct me.
  • by blueberry(4*atan(1)) ( 621645 ) on Tuesday November 25, 2003 @06:13PM (#7563389)
    and it may be a good system. However, it is more complex than the current checkbox or hole punch system. The more complexity, the more difficult it is to fully consider all the possible vulnerabilities.

    I vote (ha! get it?) that we just stick with paper and pen until we have more chance to discuss and develop alternatives. Just voting is key to any democracy, so tread lightly!

    • Yes, this does seem overly complex. You could do this much more easily with a KISS approach:

      Print one human-readable receipt that you drop in the ballot box. There's still the problem of ensuring anonyimity and preventing ballot stuffing, but that could be solved pretty easily. Generate a list of random or even serial UIDs for each polling place, enough for all registered voters and a few extra for provisional ballots. Print the UID on bottom of the receipt with maybe a sleeve to hide everything but the UI
      • Am I missing anything?

        Yep. Independent verification that your vote is valid and was counted.

        In terms of voting and counting votes it isn'y as complicated as it sounds.

        1) Vote on a computer.
        2) Computer prints receipt.
        3) Select top or bottom from the computer screen.
        4) Computer prints validation code.
        5) Take receipt.
        6) Give half that says "Give to poll personel" to poll personel for shredding.
        7) Encrypted voting data transferred to counting location where keys are used to decrypt and count results.
        8) Cele
    • I vote (ha! get it?) that we just stick with paper and pen until we have more chance to discuss and develop alternatives

      Ha! Got it. But how do I know that sticking with paper is what you really wrote? Ba-dump bump.

      I appreciate the thought the author put into the idea, but why the need to make something as simple as a multiple-choice questionnaire into a massive computer technology festival anyway? Simple optical technology to quickly count such things has existed and been used by schools

    • by ralphbecket ( 225429 ) on Wednesday November 26, 2003 @01:04AM (#7566295)
      I never cease to be amazed at what is considered insightful on this forum.

      The *process* is very simple and completely automatic.

      The *reason* it works is *slightly* more complex, but is considerably easier to understand than, say, public key cryptography. This is not rocket science.

      Properties of the system:

      - it allows each voter to verify that their vote has been recorded;

      - it does not allow a voter, or anybody else involved, to prove which way they voted (i.e. voter anonymity is preserved throughout);

      - it includes an (automatic) auditing scheme that provides statistical near certainty (in the absence of *complete* collusion by the authorities) of detecting fifty or more instances of ballot rigging.

      It's elegant and simple and very easy to verify. Evidently, alas, the paper does not make this clear to everyone...
  • Now that you have a decent electronic voting system, you can start developing decent electronic candidates.

    After all, if the choices are

    1) Skynet takes over by force
    2) Skynet takes over by vote

    I, for one, prefer the vote method. Besides, could it really do any worse than the current leaders ?

    Seriously, thought, we might want to turn the running of day-to-day things over to an artificial intelligence someday in the future, because it would be less prone to stupid mistakes and corruption than humans, and
    • I, for one, welcome the idea of entire worlds filled with billions upon billions of Marvins.

      "Hey B3-6J49, we just came up with this great idea about laying transitors down with DNA, and..."
      "Oh. God."
      "... Sorry?"
      "Brain the size of a planet and he comes around talking about DNA. Don't talk to me about DNA."
      "Hey, now, you can't talk to me like that, you're willess!"
      "Don't remind me. Oh, looks like you've spilled some coffee on your sleeve, would you like me to design an fusion-powered orbital laser platform
    • Besides, could it really do any worse than the current leaders ?

      Well, yes. Could it REALLY keep us entertained? [bushisms.com]

    • After all, if the choices are

      1) Skynet takes over by force
      2) Skynet takes over by vote

      I, for one, prefer the vote method. Besides, could it really do any worse than the current leaders ?


      Don't blame me, I voted for HAL-9000!

      Cheers,
      IT
  • Too bad.. (Score:4, Insightful)

    by xchino ( 591175 ) on Tuesday November 25, 2003 @06:13PM (#7563400)
    It's too bad this won't get any support, as it doesn't make politicians any profit. Maybe if they could promise Bush Ohio's vote, or line some pockets with green, they'll get some government backing. I think there should be a law against a politician having invested interest into the means by which they are elected.

  • Not acceptable (Score:4, Insightful)

    by Marcus Erroneous ( 11660 ) on Tuesday November 25, 2003 @06:15PM (#7563417) Homepage
    How in the world do you expect the penny ante politicians to get elected with an honest, secure system? More importantly, how is Bu$h supposed to get re-elected with a fair, impartial, secure and verifiable voting system? Fortunately, here in the good ol' US of A, we're free to chose a more politically useful system. ;)
  • by corebreech ( 469871 ) on Tuesday November 25, 2003 @06:16PM (#7563424) Journal
    Most lay people assume the voting system is secure simply by virtue of it being computerized.

    I haven't looked at the spec for this yet, but I have to believe that this cannot be the answer, simply because most people won't be able to understand how this system is any different than the (electronic) one it replaces.

    More than anything else, voters have to be able to trust that their vote is being counted. And there will always be talk of powerful interests being given backdoors or being able to skew the results using exotic technologies like quantum cryptoanalysis.

    The only sure way of a) having a legitimate election where b) everyone can know their vote was counted is by c) publishing all the votes.

    Publish the votes. No batteries (cryptographic or otherwise) required.
    • I presume when you say to publish the votes, you mean that you produce a book of ballots that you counted, where each person can recognize their own, but there's no way to identify which was cast by someone else. (If you just published the ballots, using the kinds of ballots used where I've voted, people could count them, and they'd be anonymous, but it would be damn hard to tell yours apart from other people's)

      You could have a system where each ballot has a different random symbol on it and is given out w
      • No, I mean that the votes should be published in a way where everyone gets to see how everyone else voted.

        It's important that I be able to call you on the phone and confirm that the way you voted matches the way I see you've voted. This is so that we can prevent man-in-the-middle attacks.

        Otherwise, a sophisticated adversary could accept your vote, and then when asked to confirm it, produce a record that confirms your vote, knowing that it is you who is requesting it. The vote that is actually registered
  • by Tackhead ( 54550 ) on Tuesday November 25, 2003 @06:22PM (#7563479)
    So a couple of noted cryptographers have come up with a secure, verifiable, electronic voting system and put the design out in the open for anyone to use. Like that was a challenge.

    Like, hey, who the hell does this Rivest guy think he is, and what (apart from this stupid "Ph.D" stuff in "Computer Science" or "Mathematics" or "Cryptography", such a small title he has) makes him think he's any smarter than Penelope Bonsall, who's got a way cooler title "Director of the Office of Election Administration at the Federal Election Commission".

    "The computer scientists are saying, 'The machinery you vote on is inaccurate and could be threatened; therefore, don't go. Your vote doesn't mean anything.'

    Penelope Bonsall, Director of the Office of Election Administration at the Federal Election Commission, A Very Important Person Who's Smarter And Better Than Those Goofy Computer Scientists Because She Has A Bigger Title And Burns Through More Taxpayer Dollars In A Week Than That Rivest Dude Probably Generated In His Entire Working Career!

    Rivest's system is clearly unworkable. Where's the wining and dining of sales reps? Where's the backroom deals involving hookers and cocaine? Where's the vendor-lock-in? Where are the service contracts and extra government departments required to oversee them? Oh, sure, Rivest can lay the smack down on "where's the beef" when it comes to building a secure and verifiable electronic voting system, but where's the pork?

    • That was apparantly posted in sarcasm, but this is exactly the thing I can't figure out. People keep suggesting new ways to make electronic voting secure and verifiable, but that's never been the problem. The paper trail is itself is the problem that electronic voting is meant to solve. You can't dictate leaders if you can't control the vote. The paper system is too hard to control, hence this new digital system.

      Between proprietary gadgets that are hard to verify, and the DMCA which makes it illegal to
  • Don't get me wrong... the ability to verify that your vote is tabulated (which this system claims to do) is a good thing. But I keep reading endless articles about how just adding a "paper trail" to any voting system makes it magically all better, without addressing any of the security issues.

    The mechanical lever machines many of us use don't generate a paper trail either, and you don't see anyone all up in arms about that. Besides, how many people will really hold on to their paper ballot (slashdotters
    • by Anonymous Coward
      A paper trail does make it magically more secure. This isn't referring to you keeping paper, it is referring to a piece of paper with the vote on it being stored somewhere.

      Those machines with levers? They make paper trails.

      Without this, the votes are ONLY digital. As such, any unauthorized access can, en-masse, change the only record of the votes. Paper cannot be changed nearly so easily, and especially not so secretly. It allows a recount if the machine count seems unreasonable.

      It is genuinely an incred
      • It also allows a random sampling of the votes the machine recorded, in the case of a digital machine the votes can be numbered, without any reference to the actual voter and the numbered electronic vote can be compared to a random sampling of the physical paper vote to see if the machine is making errors or has been rigged.

        For a lever machine a similar sample would be to see if the card reading device, whatever it is, is reading the cards in the expected manner or is making errors or has been rigged, howev
  • but still (Score:3, Interesting)

    by rock_climbing_guy ( 630276 ) on Tuesday November 25, 2003 @06:23PM (#7563485) Journal
    I like the idea of being about to verify that my vote counted, but how will everyone being able to verify their vote stop dead people from voting?
  • Move to New Hampshire, the free state [freestateproject.org], and set this up. I know, voting procedures and libertarianism are two different topics. But they are related in the sense that they are both progressive attempts to reform government. Perhaps it would be easier to advocate such a project in a free New Hampshire (should the Free State project succeed) than elsewhere. Just a random thought.
  • by CleverNickName ( 129189 ) * <wil@wilwhe[ ]n.net ['ato' in gap]> on Tuesday November 25, 2003 @06:28PM (#7563517) Homepage Journal
    We'll know that this is a real and secure voting method just as soon as all the incumbents and lobbyists come out and blast it as "dangerous" and find some way to connect it to terrorism.
  • Game Over!!
    Insert Coin
  • Too complicated... (Score:5, Insightful)

    by jjh37997 ( 456473 ) on Tuesday November 25, 2003 @06:30PM (#7563537) Homepage
    Here's what we need...

    A touch screen voting booth that lets voters select the canidates they want.

    After the voter casts their vote the booth prints out a ballot that's a machine readable scantron sheet.

    The voter checks to make sure that the canidates they selected are recorded on the ballot and feeds it into a scantron reader. It's this machine that actually records the voter's vote.

    This way not only do we get the benifit of a machine count but a paper trail to boot.
    • No offense, but that is too complicated. People aren't going to check that the machine gave them who they're really voting for.

    • Why should I trust a scantron machine any more than I trust a touch-screen terminal? Why should I trust that the numbers spit out of the scantron machine correspond to the scantron card that was fed in?

      The voting system must be provably fraud proof, as David Chaum is trying to do. Just because we all have used scantrons does not make them immune to fraud.

      -- Bob

    • It doesn't even need to be scantron. If your computer printout is going to print out only a few options you could make it just about anything and have it computer readable. The peoples names or what ever else is deemed easiest to read.
    • Your suggestion doesn't protect against card remarking, card stealing, or card-invalidating, which are all forms of tampering with the paper trail.

      This proposal catches all of those potential problems and makes them visible, though not correctable.

      Regards,
      Ross
  • It appears from a quick read that the guy behind this has patented about every form of limited traceability and other feature one could think of. If any of this proposal is patented it should be ruled out instantly.

    If all the "trustees" co-operated, it seems information could leak. In todays age of FBI power, one must assume that all "trustees" are breakable.

    I'm also a fan of simpler systems that are slightly more user understandable.
  • paper trail (Score:2, Insightful)

    by mehtars ( 655511 )
    Even if there is an open audit of the source and a paper trail, most of the canidates will still request a recount of the ballots by hand. Call me a bit old fashion, but I still believe that the best way to hold an election is to do it on paper rather than on a computer. Even the most secure open-source OS can have security holes....

  • With this system how are they supposed to fix elections? This will never work.
  • by acidblood ( 247709 ) <decio@@@decpp...net> on Tuesday November 25, 2003 @06:44PM (#7563641) Homepage
    in an workshop held here in Brazil (Alfred Menezes and Darrel Hankerson were the other lecturers). Folks, the system is perfect. There's nothing to complain about it -- laymen can check that their votes were counted through so-called `visual cryptography' (an idea of Adi Shamir IIRC), while everything else you'd expect from a secure and reliable voting system is provided. One can only hope that this is deployed somewhere, but I'm not holding my breath.

    Read the paper, it's really jawdropping. Cryptography at its finest.
    • The problem is that if laymen can check that their votes were counted after the fact, it is possible to sell your vote and let a 3rd party check on this as well. Any design where you keep the recipet is flawed.
      • RTFA (Score:2, Interesting)

        by CedgeS ( 159076 )

        The problem is that if laymen can check that their votes were counted after the fact, it is possible to sell your vote and let a 3rd party check on this as well. Any design where you keep the recipet is flawed.

        Laymen can check that their votes were counted correctly after the fact. However they can not check what their vote actually was, so a third party can't verify that the layman voted the way they wished.

        This is accomplished by printing two receipts which combined form an image of the voters vote,

  • by randall_burns ( 108052 ) <randall_burnsNO@SPAMhotmail.com> on Tuesday November 25, 2003 @06:48PM (#7563678)
    This is a step forward, but:

    Folks can' still vote multiple times if they get more than multiple registration cards. Dead people can still vote. Illegal aliens can still vote(i.e. someoen can get a drivers license with Mexican ID-and then get a voter registration card).


    The main thing the Chaum proposal handles is fraud by a few people via voting machines. Fraud by election officials using lower tech mechanisms would be more difficult-but still possible.

    • by waynemcdougall ( 631415 ) <slashdot@codeworks.gen.nz> on Tuesday November 25, 2003 @08:49PM (#7564728) Homepage
      Mod parent up.

      The proposal allows a VOTER to verify that their vote was properly cast and recorded.

      There is no protection for a candidate.

      With physical ballots, a candidate can ask for a recount of those ballots.

      As far as I can see, under this proposed system, you either accept the word of the computer, or you try and round up the anonymous (out-of-district or out of state) voters and ask them to please check their ballots.

      Snowball I can vote with impunity. Indeed I can add as many votes to the machine record as I want - I can have the machine churning out thousands of votes per hour, shred both copies, and just make sure the legitimate votes are also included in the tally.

      The proposal address completeness (all votes are recorded), accuracy (the votes are correctly recorded, or can be verified as having been so) BUT only by the voter - NOT the candidate who has to trust the machine or hope a voter picks up a fault.

      Validity (only proper votes are cast) is not addressed. Unless I'm missing something.

      • I think you are right-mathemeticians are trusting folks. I'm not an especially good mathematician. However, I have substantial experience dealing with fraud detection systems. I did an early database implementation for what become the world's most popular credit card fraud detection system. I've also worked on an investigation that put the CEO of a major corporation in prison.

        Much fraud is pretty low tech but involves manipulating lots of people. Basically many security mechanisms come down to the word of

      • Yes, there is protection for the candidate.

        The auditing process provides statistical guarantees that (in the absence of complete collusion by the polling agents) (a) every ballot is counted, (b) no extra ballots have been inserted, and (c) no ballot has been tampered with.

        Furthermore, all of this information is provided on the web. Each voter can check that their vote was recorded and anybody at all can check the final tally (the plaintext electronic ballot papers are also published, but they cannot be t
  • by femto ( 459605 ) on Tuesday November 25, 2003 @06:51PM (#7563705) Homepage
    One would have to make sure the printing technology was 'perfect'. What if there was some residual image of the 'red' layer superimposed on the 'white' layer (for example, heat leaking between the two layers of a thermal printer)? Then it would be possible to 'reverse engineer' a receipt and the ballot may no longer be secret.

    Incidentally, most of the alternative suggestions offered by slashdotters seem to compromise the secrecy of the ballot. Secrecy might not seem important to the average slashdotter, but it is important if your family will disappear when you get caught voting for the opposition.

  • It may be mathematically provable, but it lacks the "common sense" aspect that would allow the adoption of such a system. It tends to be better to use technology "under the hood" where it works as one would expect, but is resilient to attacks on the inside. I described a system [slashdot.org] I believe would work in the last story on voting machines.

  • a flaw? (Score:3, Interesting)

    by agurkan ( 523320 ) on Tuesday November 25, 2003 @07:22PM (#7564019) Homepage
    I tried to read the article and hopefully I am mistaken but would appreciate some comment on this.
    It seems that you are deprived of the ability to reproduce your vote outside the booth by seperating the information into two pieces either of which is illegible/useless by itself. However, with the cellular phones taking digital pictures nowadays, could you not essentially take both of them with you if you want?
    If this is true then further security is needed to ensure that although you choose one of the two equally valid pieces, you cannot reach the other one at all. This, btw, can be done cryptographically.
  • Over at EVM2003 [sourceforge.net] and the Open Voting Consortium [openvoting.org] we are addressing the problems with proprietary and paperless voting systems in the concrete, and in a reasonably short-term time frame. The thing to keep in mind is that the problems are mostly political ones, not technical ones. Cryptographers tend to miss this fact.

    As it happens I discussed Chaum's system just today [python-hosting.com] on the Voting-Project mailing list [python-hosting.com]. I guess I might as well quote myself:

    Re: securing electronic ballots

    From: David Mertz %lt;voting-

  • Comment removed based on user account deletion

"It takes all sorts of in & out-door schooling to get adapted to my kind of fooling" - R. Frost

Working...