Re: Secret votes HOWTO
On Wed, Apr 04, 2001 at 09:59:26PM -0700, Seth Arnold wrote:
>
> However, I think we agree that it really ought to be hashed -- I like
> how the hash ties the vote to the voter along with the secret
> information in a manner that is inextricable yet anonymous.
hashed:
12345 553f1ae9b45bee7aeede6a97605bacaa
nothashed:
12345 0xF456 5492
(for the hased, i hased the vote (12345), with the d.o login (alice),
and the user-supplied entropy (s3kr!t))
the nothashed has the vote, the system supplied entropy, and the
user-supplied entropy.
i am not here to argue the relative merits of the strength of entropy
pools. the idea is to say ``yes, that is my vote, and that is how i
voted, and when i tally up the votes, they come out to what the
secretary said they came up with. i know my vote was not tampered with,
and yes, and my name does show up at the list in the bottom :)''
the point is, the hash is not required. the per-user verification is. i
think manoj and i agree that checking (say) 8 digits is easier than an
md5sum.
at any rate, system-supplied entropy and user supplied entropy will be
required (in the hash case, it can be username. in the nothashed case,
it would be an arbitrary value sent along with the confirmation)
i suppose if one were so inclined, one could use a bit of both:
bothhash:
12345 553f1ae9b45bee7aeede6a97605bacaa s3kr!t
this way we have both the hash, and the user-supplied entropy. so the
user need only scan for their splied entropy and perform further
verification as required.
but in this case, the md5sum only masks as server side entropy.
(but it also makes it trivial to determine who cast the vote:
% for i in ${=USERS}; do [ `echo 12345 $i s3kr\!t | md5sum` = 553f1ae9b45bee7aeede6a97605bacaa ] && echo it was ${i}\`s vote ; done
and that violates the whole idea of a secret vote, so that idea is bad.
let's ignore that one, shall we?
so: hashed and nothashed both provide the same benefits. it's just a
matter of which is prefered.
-john
Reply to: