Re: Report on EVM Rating Workshop

From: Douglas W. Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Tue Jun 13 2006 - 13:14:48 CDT

On Jun 13, 2006, at 12:54 PM, Ron Crane wrote:

> The reference to encryption is to schemes (like VoteHere:
> Neff-Chaum) that use cryptography to allow voters to
> determine whether their ballots are correctly included in
> the final tally without being able to prove to anyone
> else how they voted.

David Chaum and Josh Beneloh were at the workshop, and both
presented interesting papers.

> I have significant doubts about Neff-Chaum's robustness against
> vendor-based vote-switching attacks.

Chaum's punch-scan scheme, using paper ballots and a bingo-dauber
to cast votes, makes vote-switching a bit daunting. A simple
denial-of-service attack is possible, however, and if targeted
at jurisdictions (at the precinct, county or state level) could
easily be used to swing elections -- the attack is easy to detect
after-the-fact, but there's nothing you can do about it other than
re-run the election, an impossibility under the law codes of many

The attack involves printing invalid ballots (either counterfeit
substitution for pre-printed or postal ballots, or hacked software,
for ballot-on-demand systems). The counterfeit ballots would have
genuinely random choice labels, instead of the cryptographic
association of choice labels with candidate names used normally.
Although there may be a physical paper ballot surviving the election,
there is no way to recover the correct linkage between mark and
vote, so there is no recovery from this attack by any kind of recount.

> Finally, they're opaque as all get-out except to cryptographers.

Chaum is getting better at this, and Beneloh is trying. I had a nice
experience, sitting with Eric Lazarus while Josh Beneloh tried to
explain mix nets to him. I think that, between Josh and I, we did
succeed in explaining how it worked and how you could proove, to as
high a degree of certainty you wanted (short of absolute certainty)
that the mix net was valid.

But, proof to Eric Lazarus, a computer security person with no
real crypto background, is very different from proof to my wife.

On the other hand, and here, Josh Beneloh gets serious credit, the
proof that any of these crypto schemes is honest is far simpler
than the proof that a classic paperless DRE system is honest.
In this regard, it is clear that these crypto schemes, even with
their flaws, represent something big.

And, I note, Chaum's scheme is the easiest of the batch to explain,
except perhaps, for the work at Newcastle upon Tyne by Randell and

Chaum's scheme does not really use encryption, it uses
cryptographically secure keyed hash functions that start with
the ballot serial number and generate the linkage between voting
target position on a mark-sense ballot and candidate.

> As such, they cannot effectively be supervised by the general public

This remains the big problem!

                Doug Jones

OVC-discuss mailing list
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Fri Jun 30 23:17:05 2006

This archive was generated by hypermail 2.1.8 : Fri Jun 30 2006 - 23:17:12 CDT