[EM] Re: Election-methods digest, Vol 1 #374 - 1 msg
kjinnovation at earthlink.net
Fri Dec 5 02:45:02 PST 2003
election-methods-electorama.com-request at electorama.com wrote:
>From: matt at tidalwave.net
>Date: Wed, 3 Dec 2003 18:29:44 -0800 (PST)
>To: election-methods at electorama.com
>Subject: [EM] Verifiable secure voting using dual half pixel receipts
>Reply-To: matt at tidalwave.net
>Ken Johnson wrote:
>"As I understand it, a ballot receipt contains no information about the
>voter's identity, which only becomes potentially knowable when the voter
>presents the receipt for validation/verification. But how would the
>process verify that only legally registered voters have voted, and that
>no one voted twice? I don't quite understand the basis of the claim that
>"...it can lift the requirement that voters must vote from their home
>precinct ... inter-jurisdiction voting becomes workable ...".
>I assume that verifying only registered voters voted and no one voted twice would be done the same way this is currently done and the same ways your proposed method does. For example, the voting machine would have to be reset by election volunteers after each vote before the next vote can occur. Voters would have to sign in with an approved ID. The voter registration data would be cross checked with other data bases. Etc. Even your suggestion of machine readable stamps placed in the registration logs immediately after the vote could be implemented to make it easier to verify that the number of votes and ballots match.
But are these processes workable without precinct-level voting? I had
the impression that Chaum was implying this, but maybe his point was
that the vote counting process (as opposed to voter verification)
wouldn't be reliant on precinct-level tallies.
>Ken Johnson wrote:
>"I question whether a method with this level of technical sophistication
>and complexity would be practical or whether voters would trust the
>"mathematical magic" behind the secure encryption scheme - especially in
>emerging democracies where most voters may be barely literate, much less
>computer literate or technologically literate. One particular weakness
>is the reliance on a small number of "trustees" - holders of the private
>encryption keys - to ensure voter secrecy. The trustees might have the
>highest level of professionalism and integrity, but probably not much
>technical sophistication or understanding of cryptography, so you might
>find someday that a hacker has gotten hold of the private keys and
>posted them on the Internet, along with all of the decrypted ballots."
>Keeping the secret keys secret is always essential to public/private key encryption. Like the article says, government and businesses have been relying on this method for years now and so far it has been successful. As I understand it the number of trustees (and therefore the number of private keys) can be increased or decreased to provide more or less secrecy protection.
Good points, but it could be argued that the method has not been very
successful in societies where corruption is the norm and crooked public
officials routinely pilfer vast sums of money from government and
business accounts. The system's integrity ultimatly depends not on the
encryption algorithm, but on the trustees' personal integrity and their
susceptibility to being bribed, coerced, or duped into revealing their
A more fundamental problem, I think, is one of voter perceptions and
acceptance. Even if the process is provably secure, voters who don't
understand the proof probably won't trust the system and won't vote.
Look at it from the voter's perspective: You're given these two plastic
sheets stuck together, which clearly show your vote. When you pull them
apart the information seems to "magically" turn into garble, but you are
told that (1) the information on your vote is still there on the
receipt, which can be used to prove that your individual vote is
correctly included in the final tally, and yet (2) no one can possibly
find out from your receipt how you voted. Wouldn't the average voter be
understandably mystified and baffled by this seeming contradiction? One
thing you don't want an election process to do is mystify and baffle the
>Ken Johnson wrote:
>"Following is an outline of a comparatively "low-tech" voting process
>that I think probably accomplishes the same objectives as Chaum's
>method, while overcoming its weaknesses. (Whether it actually does, I
>pose as an open question.)"
>I disagree. I don't think your method accomplishes the same objectives. For example, under the half pixel half receipt method it is likely that any attempt to swap a real voted ballot with a fraudulent replacement voted ballot would be detected. Under your method anyone with access to the voted ballots, the ballot stamp, and the blank ballots could swap real voted ballots with his own fraudulent ballots without any chance of being detected (provided they could swap ballots when no one outside the vote rigging conspiracy who is willing to report the fraud was present as a witness).
>Ken then presented the properties and steps for his method of conducting secure elections which I won't repeat here.
In retrospect, I think I agree that we do not accomplish the same
objectives. The primary objective of Chaum's proposal appears to be to
enable individual voters to ensure that their ballots are correctly
included in the final tally, whereas my focus is more on verifying that
the final tally is correct. For the latter objective, it is not
sufficient to be able to prove that any particular valid ballot
corresponds to a correctly-entered database record; you also have to
determine (at least within reasonable statistical uncertainty) that
every database record corresponds to a valid ballot, i.e., there is no
ballot stuffing or "database stuffing".
I think Chaum's method would be no less susceptible to fraud than my
proposal, at least in terms of guarding against ballot stuffing and
excluding illegal votes. In either case, the system is dependent on the
integrity and compentence of local election officials. However, ballot
tampering or stuffing would not likely affect the outcome of the
election unless there is widespread fraud across dozens or hundreds of
precincts. It is unlikely that such widespread collusion could be
coordinated or that it would go undetected.
I'm not opposed to using ballot receipts to enable voters to verify that
their ballots were counted. (People who don't trust the receipts can
just shred them.) But ballot receipts are not sufficient to validate the
election tally, and I dont't think it should be the responsibility of
the voters to validate the tally. My position is that election results
ought to be independently and provably verified (at least within
reasonable doubt), as a matter of routine election certification
processes, by methods that do not require voters to retain and surrender
their voting receipts.
More information about the Election-Methods