[EM] Re: Election-methods digest, Vol 1 #374 - 1 msg

Ken Johnson kjinnovation at earthlink.net
Fri Dec 5 02:45:02 PST 2003

election-methods-electorama.com-request at electorama.com wrote:

>Message: 1
>From: matt at tidalwave.net
>Date: Wed, 3 Dec 2003 18:29:44 -0800 (PST)
>To: election-methods at electorama.com
>Subject: [EM] Verifiable secure voting using dual half pixel receipts
>Reply-To: matt at tidalwave.net
>Ken Johnson wrote:
>"As I understand it, a ballot receipt contains no information about the 
>voter's identity, which only becomes potentially knowable when the voter 
>presents the receipt for validation/verification. But how would the 
>process verify that only legally registered voters have voted, and that 
>no one voted twice? I don't quite understand the basis of the claim that 
>"...it can lift the requirement that voters must vote from their home 
>precinct ... inter-jurisdiction voting becomes workable ...".
>I respond:
>I assume that verifying only registered voters voted and no one voted twice would be done the same way this is currently done and the same ways your proposed method does.  For example, the voting machine would have to be reset by election volunteers after each vote before the next vote can occur.  Voters would have to sign in with an approved ID.  The voter registration data would be cross checked with other data bases. Etc.  Even your suggestion of machine readable stamps placed in  the registration logs immediately after the vote could be implemented to make it easier to verify that the number of votes and ballots match.
But are these processes workable without precinct-level voting? I had 
the impression that Chaum was implying this, but maybe his point was 
that the vote counting process (as opposed to voter verification) 
wouldn't be reliant on  precinct-level tallies.

>Ken Johnson wrote:
>"I question whether a method with this level of technical sophistication 
>and complexity would be practical or whether voters would trust the 
>"mathematical magic" behind the secure encryption scheme - especially in 
>emerging democracies where most voters may be barely literate, much less 
>computer literate or technologically literate. One particular weakness 
>is the reliance on a small number of "trustees" - holders of the private 
>encryption keys - to ensure voter secrecy. The trustees might have the 
>highest level of professionalism and integrity, but probably not much 
>technical sophistication or understanding of cryptography, so you might 
>find someday that a hacker has gotten hold of the private keys and 
>posted them on the Internet, along with all of the decrypted ballots."
>I respond:
>Keeping the secret keys secret is always essential to public/private key encryption.  Like the article says, government and businesses have been relying on this method for years now and so far it has been successful.  As I understand it the number of trustees (and therefore the number of private keys) can be increased or decreased to provide more or less secrecy protection.
Good points, but it could be argued that the method has not been very 
successful in societies where corruption is the norm and crooked public 
officials routinely pilfer vast sums of money from government and 
business accounts. The system's integrity ultimatly depends not on the 
encryption algorithm, but on the trustees' personal integrity and their 
susceptibility to being bribed, coerced, or duped into revealing their 

A more fundamental problem, I think, is one of voter perceptions and 
acceptance. Even if the process is provably secure, voters who don't 
understand the proof probably won't trust the system and won't vote. 
Look at it from the voter's perspective: You're given these two plastic 
sheets stuck together, which clearly show your vote. When you pull them 
apart the information seems to "magically" turn into garble, but you are 
told that (1) the information on your vote is still there on the 
receipt, which can be used to prove that your individual vote is 
correctly included in the final tally, and yet (2) no one can possibly 
find out from your receipt how you voted. Wouldn't the average voter be 
understandably mystified and baffled by this seeming contradiction? One 
thing you don't want an election process to do is mystify and baffle the 

>Ken Johnson wrote:
>"Following is an outline of a comparatively "low-tech" voting process 
>that I think probably accomplishes the same objectives as Chaum's 
>method, while overcoming its weaknesses. (Whether it actually does, I 
>pose as an open question.)"
>I respond:
>I disagree. I don't think your method accomplishes the same objectives.  For example, under the half pixel half receipt method it is likely that any attempt to swap a real voted ballot with a fraudulent replacement voted ballot would be detected.  Under your method anyone with access to the voted ballots, the ballot stamp, and the blank ballots could swap real voted ballots with his own fraudulent ballots without any chance of being detected (provided they could swap ballots when no one outside the vote rigging conspiracy who is willing to report the fraud was present as a witness).
>Ken then presented the properties and steps for his method of conducting secure elections which I won't repeat here.
In retrospect, I think I agree that we do not accomplish the same 
objectives. The primary objective of Chaum's proposal appears to be to 
enable individual voters to ensure that their ballots are correctly 
included in the final tally, whereas my focus is more on verifying that 
the final tally is correct. For the latter objective, it is not 
sufficient to be able to prove that any particular valid ballot 
corresponds to a correctly-entered database record; you also have to 
determine (at least within reasonable statistical uncertainty) that 
every database record corresponds to a valid ballot, i.e., there is no 
ballot stuffing or "database stuffing".

I think Chaum's method would be no less susceptible to fraud than my 
proposal, at least in terms of guarding against ballot stuffing and 
excluding illegal votes. In either case, the system is dependent on the 
integrity and compentence of local election officials. However, ballot 
tampering or stuffing would not likely affect the outcome of the 
election unless there is widespread fraud across dozens or hundreds of 
precincts. It is unlikely that such widespread collusion could be 
coordinated or that it would go undetected.

I'm not opposed to using ballot receipts to enable voters to verify that 
their ballots were counted. (People who don't trust the receipts can 
just shred them.) But ballot receipts are not sufficient to validate the 
election tally, and I dont't think it should be the responsibility of 
the voters to validate the tally. My position is that election results 
ought to be independently and provably verified (at least within 
reasonable doubt), as a matter of routine election certification 
processes, by methods that do not require voters to retain and surrender 
their voting receipts.

Ken Johnson

More information about the Election-Methods mailing list