OVC: Use chain of custody to fix chain of custody!? July 31, 2008
Posted by Aleks Essex, and Richard Carback in : Concepts in E2E, Voting Goals , 5 commentsOpen Voting Consortium and Okori Group offered a new open source voting system solution at LinuxWorld 08. According to the CNET interview:
Dechert says his system is better because it doesn’t use fancy cryptography, it uses a simple chain of custody.
This statement right here is the deal breaker. Why? I would hope it’s obvious:
A solution requiring the non-existence of the very fault-condition it attempts to solve is not a solution.
Folks, accept no substitutes. End-to-end verification: often imitated, never duplicated.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Scantegrity II in EVT 2008 July 11, 2008
Posted by Richard Carback in : Concepts in E2E, Privacy, Security, Voting Events , add a commentWe will be presenting Scantegrity II at the 2008 USENIX/ACCURATE Electronic Voting Technology Workshop. Here’s the abstract of our paper:
Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes
by David Chaum, Richard Carback, Jeremy Clark, Aleksander Essex, Stefan Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, and Alan T. Sherman
We introduce Scantegrity II, a practical enhancement for optical scan voting systems that achieves increased election integrity through the novel use of confirmation codes
printed on ballots in invisible ink. Voters mark ballots just as in conventional optical scan but using a special pen that develops the invisible ink. Verifiability of election integrity is end-to-end, allowing voters to check that their votes are correctly included (without revealing their votes) and allowing anyone to check that the tally is computed correctly from the included votes. Unlike in the original Scantegrity, dispute resolution neither relies on paper chits nor requires election officials to recover particular ballot forms. Scantegrity II works with either precinct-based or central scan systems. The basic system has been implemented in open-source Java with off-the-shelf printing equipment and has been tested in a small election.An enhancement to Scantegrity II keeps ballot identification and other unique information that is revealed to the voter in the booth from being learned by persons other than the voter. This modification achieves privacy that is essentially equivalent to that of ordinary paper ballot systems, allowing manual counting and recounting of ballots.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Scantegrity: Choice in audit trails June 7, 2008
Posted by Aleks Essex in : Concepts in E2E, Voting Goals , add a commentWith respect to Scantegrity and our design objectives, Flaherty has it wrong:
A system that started as an attempt at secure voting without paper ballots has, ironically, evolved into a system designed for compatibility with existing paper ballot voting systems.
If he were to live in the shoes of a voting system designer for one day he would learn an interesting lesson: the barrier to entry for new paradigms is so vast, and onus on voters to learn anything new is so low, the only way to present truly new ideas, regrettably, seems to be to allow some people to believe they’re not new ideas at all.
We didn’t integrate a paper trail into Scantegrity because we necessarily think it adds security. But the pride of the 1850’s still gives folks comfort, and we’re not out to take that away from them.
What we’ve done, I think quite reasonably, gives people who want to verify an election a choice: paper trail verification if it floats your boat, and for those who want something more compelling, a new approach to proof of election integrity called E2E.
The fact is, Scantegrity incorporates both “old” and “new” into one system, which we felt was a vital direction, and I’m not bashful about telling you a lot of work went into it.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
E2E is my cup ‘o tea March 18, 2008
Posted by Aleks Essex and in : Concepts in E2E , 1 comment so farStefan recently came up with a simple way of explaining E2E (receipt-based) voting systems. He said, imagine if your ballot was attached to a string, and at the end of the string was a tag, and on the tag was some (pseudonymous) identifier.
You put the ballot in the ballot box, but leave the string and tag hanging out. Eventually, as people cast their ballots, the strings and ballots become all jumbled up. The next day you could come back and find your tag. You can see your string disappear into the ballot box (and into a knotted ball). But is your ballot still attached to the other end?
The election authority conducts a zero-knowledge proof to demonstrate the strings are all still in one piece by showing the jumble of strings in sections. At each section you can visually inspect that the strings are in one piece, but cannot (simultaneously) tell where they come from or where they go.
So if you can find your tag, and if across the entire length of strings you do not see any cuts, it’s proof your ballot is still in the ballot box somewhere.
I’ve been calling this the “tea-pot” model for (I hope) obvious reasons:
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.