[E-voting] Open source voting system

michael at hexmedia.com michael at hexmedia.com
Mon Apr 8 20:03:42 IST 2013


There might be a misunderstanding here as to the function of
cryptography in these systems. Taking that out of the equation
for a moment, consider the following. Say you have a system that
uses voting machines, which give you a printed receipt with a
number on it. You take that receipt home with you and check on an
election web site for your vote. If you search through the file of
votes for your number and if your vote is there in the file exactly
as you cast it, then you know your vote was recorded correctly.
If you then take the same file of votes and count them using some
independent software package, or maybe using a couple of different
ones, you can be fairly sure the election was counted correctly
as well. It's really got nothing to do with the software or hardware.
Once the end to end verification works you can be satisfied you
weren't cheated out of your vote.

The problem with the above is that it's not a secret ballot, and the
only function of cryptography is to take all the above information and
encrypt it in such a way that the votes remain secret,
but still allow the election to be verified.

See below for specific answers to your points:

On 2013-04-08 17:38, Catherine Ansbro wrote:
> Here in Ireland our initial focus when this forum was started was to
> avoid 1) and move to 2).
> 
> Over time (and personal experience of both the Irish & USA systems,
> and many knowledgeable tech contributors at blackboxvoting.org) it
> became clear that merely aiming for a system that is "verifiable" is
> an inappropriate goal for an election system on which democracy
> depends.
> 
> As various people have articulated--if it's not verified--by ORDINARY
> citizens--then the election (and government!) is no longer in the
> hands of the citizens & it's not a democracy.
> 
> A number of cryptographic solutions have been proposed sounding like
> that which Michael proposes.
> In addition to the complexity (which is not possible to make
> understandable to ordinary voters), such systems are not suitable
> because--
> 
> 1) By definition, encrypted software etc. is not "observable" by
> ordinary citizen observers. That's true of any software, but even more
> so by cryptographic software.
> 

True, but I think from the example above, it isn't really about the
software. It's about the data (ie the votes) and once independent 
evidence
can be shown that it was handled correctly then it should be 
trustworthy.

> 2) Someone has to have the key to the encryption: one or more
> insiders. This is a fatal flaw. No election system should require
> "trust", especially not of election administrators.
> 

Most of these systems use public key encryption, which requires the 
election
administrator to keep a private key secret. Typically, a lot of 
information
would be published in advance of an election and that would include 
public
keys, which allows people to test out various things including that the
key pairs are valid. It's possible in theory for an administrator to 
lose
their secret key and there are ways around that, but in a way I suppose 
there
are equivalent things that could go wrong in a traditional election.

> 3) There's no way to validate that what runs at election time is what
> was tested or approved. This is still true of encrypted software.
> 

again from above, what matters is the data, not the software

> 4) It is not enough that an independent voter can verify their own
> vote. All kinds of shenanigans may have been done, with some of the
> other votes that I cannot verify--e.g., adding in extra votes in the
> name of voters who are known not to have voted at recent elections.
> 

True, but no system can completely overcome that problem. There's 
nothing to stop
administrators stuffing paper ballots belonging to voters who didn't 
turn up.

If anyone is interested, I'll post a copy of the paper I wrote 
somewhere
(if I can find it).

Michael.




More information about the E-voting mailing list