Re: Three Ballot Voting System - Comments Appreciated

From: Ron Crane <voting_at_lastland_dot_net>
Date: Mon Sep 25 2006 - 19:19:20 CDT
anwar adi wrote: 
Kathy Dopp wrote:
  
>From Ron Rivest:

I'm writing in part to let you know of a new
voting system proposal that I just published on my
web site, called "ThreeBallot" (because you cast
three ballots!).  It has very nice security properties,
as you'll see:
   http://theory.csail.mit.edu/~rivest/Rivest-TheThreeBallotVotingSystem.pdf

Comments appreciated...
_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
  
    
Very interesting.  It's an easy read with interesting analysis.  It's 
also  crypto- and patent-free.  It's probably simple enough to explain 
to a high-school graduate *and* it's secure.  Kind of what we were 
trying to accomplish with possibly complementary work at blackboxvoting.org
and along the lines of the GPL'd OVC system.

I'd like to publicly thank Dr. Rivest for this work.
It's interesting and clever (particularly in how it avoids facilitating vote buying), but it's not really "secure." The scheme is easy for techies to understand, but I that doubt it would be easy for the relatively uneducated to understand. Many people will, I think, find it very difficult to fill in an oval beside a candidate they do not wish to vote for. The checker machine is subject to an attack similar to, but more effective than, the turning-off-overvote-protection attack that the Brennan Center describes on p.81 of its recent report. In this attack, the checker selectively fails to warn voters of malformed ballots. [1]

Worse, the checker machine can steganographically encode information onto all three ballot copies that indicates to a cooperating tabulator (a) that they all belong to a single voter; (b) each one's ballot number (1, 2, or 3); and (c) which one the voter copied. The cooperating tabulator can then scan correctly the one the voter copied, but then flip the voter's choice by intentionally mis-scanning one of the other two ballots. This attack can be caught (and corrected) by an appropriate manual audit -- but that audit requires 3x the work of the usual PCOS audit.

Then, of course, the usual presentation frauds and voter verification issues [2] apply to the idea of using ThreeBallot on ballot printers.

-Ron

[1] This attack cannot be caught by manually auditing for malformed ballots, because separating the ballots eliminates their identity as having been cast by a single voter, and thus the ability to determine whether a set of 3 ballots is malformed. This attack also cannot be caught by auditing the totals unless the attacker is unwary enough to reduce a candidate's count to below the number of voters (= zero) -- an unlikely event.

[2] The Brennan Center's report at p.66 cites a simulated election conducted by Ted Selker on VVPT machines, in which voters discovered only 3 of 108 errors.

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sat Sep 30 23:17:06 2006

This archive was generated by hypermail 2.1.8 : Sat Sep 30 2006 - 23:17:08 CDT