Re: Vote verification --- a futile exercise?

To: debian-vote@lists.debian.org
Subject: Re: Vote verification --- a futile exercise?
From: Anthony Towns <aj@azure.humbug.org.au>
Date: Wed, 3 Apr 2002 16:56:42 +1000
Message-id: <[🔎] 20020403065642.GA21968@azure.humbug.org.au>
Mail-followup-to: debian-vote@lists.debian.org
In-reply-to: <[🔎] EDFC12A4-46C1-11D6-999A-00039355CFA6@suespammers.org>
References: <[🔎] EDFC12A4-46C1-11D6-999A-00039355CFA6@suespammers.org>

On Wed, Apr 03, 2002 at 12:16:18AM -0500, Anthony DeRobertis wrote:
> 	2) No voter can vote for another person
> 	3) No voter can be denied his vote

These two can't be done absolutely without physical assurance --
trivially, someone could steal another person's gpg key and vote for
them, and bury them in a shallow grave to ensure they don't tell anyone
about it.

> 	7) No one can determine how another person voted

This is obviously not adhered to -- the secretary and DSA receive all the
votes as signed plaintext.

> 	5) Each voter can verify the correctness of his vote
> 	6) Every voter can verify the correct counting of the votes
> 	8) No voter can prove to another person how he voted.

These are probably mutually contradictory.

> 	9) Everyone can prove the rules were followed.

> 	[ I really should grab Applied Crypto and make sure I didn't
> 	  miss any ]

Applied Crypto doesn't go into any detail at all on point (8), eg.

> All the shared keys schemes proposed so far have failed to 
> follow 5 and 9, and perhaps others. The reason is that nothing 
> stops the secretary from adding additional votes.

The person whose vote was miscounted can demand the secretary prove that
he voted the way the secretary claims he did. If the secretary's unable to
do this, then the secretary's been cheating the system.

> You might think that (4) would be detected when the list was 
> released, but it won't because there is no one to _deny_ that 
> vote.

Sure there is. Send a signed mail that says "I didn't vote." or "My vote
wasn't counted." It's then the secretary's responsibility to disprove
this by revealing otherwise secret mails.

> You might think that (5) would be detected, but it won't 
> because that would require every debian developer --- all 900 of 
> them --- the prove they either did or did not vote. 

They don't need to "prove it", they just need to verify the tally, and
complain if they can't. If some don't, well, that just gives the secretary
a non-zero probability of being able to fake a person's vote. If he wants
to fake multiple votes, he's got a probability of (1 - p_a) * (1 - p_b)
* (1 - p_c) .. of getting away with it (where p_a is the probability
of getting caught faking a vote for person a), which decreases fairly
rapidly. Of course, for MIA developers, p_a approaches 1, so there's a
risk there.

> The easiest solution is to make sure we can trust our vote counter.

Pfft, where's the fun in that?

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

                        Vote [1] Bdale!

-- 
To UNSUBSCRIBE, email to debian-vote-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Vote verification --- a futile exercise?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: Vote verification --- a futile exercise?
  - From: Anthony DeRobertis <asd@suespammers.org>

References:
- Vote verification --- a futile exercise?
  - From: Anthony DeRobertis <asd@suespammers.org>

Prev by Date: Vote verification --- a futile exercise?
Next by Date: Re: Vote verification --- a futile exercise?
Previous by thread: Vote verification --- a futile exercise?
Next by thread: Re: Vote verification --- a futile exercise?
Index(es):
- Date
- Thread