From: Lee Daniel Crocker (lee@piclab.com)
Date: Thu May 15 2003 - 17:03:52 MDT
Here:
<http://verify.stanford.edu/evote.html>
a Stanford professor states the obvious: some electronic voting
machines are not auditable and easily hacked. But he recommends a
decidedly low-tech solution: having the machines produce paper
ballots that are authoritative and that can be audited by hand.
A much simpler, more automated, and totally auditable solution
is obvious to me after a few moments of thought, but perhaps I'm
missing something obvious, so let me put it out there and see if
you guys can see any flaws (technical or political):
At the polling place, each voter goes through the touch-screen
hand-holding menu options of the voting software. When he's done,
a simple paper receipt is printed that shows an overview of his
votes, which he is asked to read and confirm by placing it through
a reader and pressing a comfirmation button. On that receipt is
also printed a large random number unique to each voter. The
reader processes the vote and sends it to a central server. If
the user made a mistake, he just discards the reciept without
submitting it and starts over. The voter retains this receipt.
Note that the receipt itself is secure: no one can determine
from it whose vote it represents, because the only identifier
on it is a random number.
After election day, each precinct publishes two lists (on the
net, on paper, whatever): one is nothing but a list of names of
everyone who voted. This is already public information (when you
go in to vote today, your name is checked off on the registration
list). This way, everyone who voted can verify that his name
appears on the list, and that names of people who he knows didn't
vote (or who are dead, etc.) do not appear.
The second list is the same number of entries, each of which is a
plaintext list of votes cast, along with a random number index made
by hashing together the random number printed on the voter stub
with info such as the voter's name, address, birthdate, etc., and
the votes themselves (a one-way hash). Each voter can then run a
program (with a published algorithm) to hash the random number on
his receipt with the information he knows, and then go to the list,
find that index, and verify that the published votes match.
Since the votes themselves are in plaintext, the count is easily
verified by anyone. There is nothing to match the vote lists to
people unless you know a voter's personal info and the number on
his receipt, so ballots are secret. A voter can't repudiate his
votes because he has to show his paper receipt which isn't
forgeable because of the one-way hash.
This way, the permanent record of the vote is totally online, and
the paper receipts serve as spot-checks. But groups concerned about
fraud could collect a large number of people to check their votes
on-camera if desired, and a few people might even make their votes
public as a further check (only by their choice, of course).
So, is there an attack here I don't see? If so, can you plug the
hole, or come up with a system with the same safeguards?
-- Lee Daniel Crocker <lee@piclab.com> <http://www.piclab.com/lee/> "All inventions or works of authorship original to me, herein and past, are placed irrevocably in the public domain, and may be used or modified for any purpose, without permission, attribution, or notification."--LDC
This archive was generated by hypermail 2.1.5 : Thu May 15 2003 - 17:15:12 MDT