Re: Vote verification --- a futile exercise?
On Wednesday, April 3, 2002, at 01:56 AM, Anthony Towns wrote:
On Wed, Apr 03, 2002 at 12:16:18AM -0500, Anthony DeRobertis wrote:
2) No voter can vote for another person
3) No voter can be denied his vote
These two can't be done absolutely without physical assurance --
trivially, someone could steal another person's gpg key and vote for
them, and bury them in a shallow grave to ensure they don't tell anyone
about it.
Yep. Someone could also embed an attack on PGP in one of the
chips in the vote counting machine. This person would be a very
well known C co-designer, of course ;-)
7) No one can determine how another person voted
This is obviously not adhered to -- the secretary and DSA
receive all the
votes as signed plaintext.
No one other than the secretary, then.
5) Each voter can verify the correctness of his vote
6) Every voter can verify the correct counting of the votes
8) No voter can prove to another person how he voted.
These are probably mutually contradictory.
They may be. If so, (8) is least important and can be dropped.
9) Everyone can prove the rules were followed.
[ I really should grab Applied Crypto and make sure I didn't
miss any ]
Applied Crypto doesn't go into any detail at all on point (8), eg.
No, it doesn't. It's probably not really a requirement to
Debian. It is a requirement for larger groups (e.g., cities,
counties, states, countries) to prevent the sale of votes.
All the shared keys schemes proposed so far have failed to
follow 5 and 9, and perhaps others. The reason is that nothing
stops the secretary from adding additional votes.
The person whose vote was miscounted can demand the secretary
prove that
he voted the way the secretary claims he did.
Correct. I made a mistake referencing the numbers. D'oh!
You might think that (4) would be detected when the list was
released, but it won't because there is no one to _deny_ that
vote.
Sure there is. Send a signed mail that says "I didn't vote."
Who shall do that? Every member of Debian who did not vote? The
verification procedure goes something like this, for each
developer: Check list. Is my vote (identified by a shared
cookie) on it? Is so, is it recorded correctly? Lastly, do I get
the same results as the secretary when I tally the votes?
It being a secret ballot and all, there is no way for me to
match up a vote (other than my own, by knowledge of the shared
cookie) with a specific developer. The cookies that the
secretary made up happen to belong to no developer. But I don't
(and can't) know that.
Non-existent developers don't send signed messages stating they
did not vote. However, with the help of the secretary, they do
vote :-(
You might think that (5) would be detected, but it won't
because that would require every debian developer --- all 900 of
them --- the prove they either did or did not vote.
... of getting away with it (where p_a is the probability
of getting caught faking a vote for person a),
Unless I've missed something, none of the proposed checks on the
vote counter prevent him from casting votes from Mickey Mouse,
George W. Bush, and Elvis Presly.
The risk of the secretary being caught are no more than people
questioning the high voter turnout [as a result of anonymous
votes], and being able to find more developers asserting they
did not vote than the tally shows. That risk is very low,
especially since the number of votes needed to swing a close
race is low. If Debian got 300 legitimate votes this election,
and the secretary decided to add in another 50 votes, probably
deciding the outcome of the election, could you find 550
developers to assert they did not vote? I very seriously doubt
it.
And without you presenting that evidence, the secretary
would --- rightfully --- refuse to release the actual PGP-signed
mails (which would prove his guilt) citing the Debian
Constitution, which states the votes are private. Releasing the
votes, he would argue, would violate that guarantee by making
all the votes public.
Even if you did present 550 developers stating they did not
vote, and thus showing the count wrong, the secretary would
still be proper in refusing to release the votes, on previously
stated Constitutional grounds. However, that would no doubt be
opposed by the majority of developers.
The easiest solution is to make sure we can trust our vote counter.
Pfft, where's the fun in that?
Well, _Applied Cryptography_ (you actually got me to dig it up
and open it) tells us how not to in Section 6.1, under "Improved
Voting with a Single Central Facility."
--
To UNSUBSCRIBE, email to debian-vote-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: