On Sat, 09 Oct 1999 20:35:15 -0700, Ed Gerck <[EMAIL PROTECTED]> wrote:
> In reference to the recent discussions on voting, I am
> preparing a list of desirable properties of voting, as a
> secure protocol. Of course, it may not be desirable or even
> possible for a particular election process to include *all*
> of them -- the objective is just to have a list of choices.
So how well do these apply to the company that you started this thread
on, votehere.net? Remember, the ones you called "snake oil"?
> 1. Completeness: All valid votes are counted correctly, if all
> participants are honest.
Seems pretty easy to meet if everyone is honest.
> 2. Robustness: Dishonest voters, other participants or outsiders can't
> disturb or disrupt an election.
Votehere's system depends on a coalition of mutually suspicious parties
to tally the vote (they mutually share the necessary decryption key).
If enough of these refuse to cooperate then this could disrupt the
election.
> 3. Privacy: The votes are casted anonymously.
Likewise if the key holders all decided to collude together they could
decrypt individual votes and remove anonymity. This and the previous
failure are supposed to be unlikely because the parties involved are
competitors and include officials with public accountability.
> 4. Unreusability: Every voter can vote only once.
> 5. Eligibility: Only legitimate voters can vote.
This seemed to be the main concern which caused Ed to initially brand
votehere.net as "snake oil?". Any cryptographic system has to assume
a certain pre-established system for determining voter eligibility.
Such real-world systems are inherently messy and imperfect and cannot
have the clean provability of a mathematical system. By the standards of
mathematical proof, any voting system would have to be called snake oil.
However many of the same issues arise with the imperfect physical
voting systems we have today, especially as we move towards absentee
mail-in ballots (currently running 30% or more of total votes in local
U.S. elections).
> 6. Fairness: A voter casts his vote independently and is not influenced
> (e.g. by publishing intermediate results of the election, copying and
> casting of the encrypted vote slip of another voter as his own vote).
The votehere system seems to be OK on this.
> 7. Verifiability: The tally can not be forged, as it can be verified by
> every voter. The verifiability is locally, if a voter can only check
> if his own vote if counted c orrectly. If it is verifiable whether all
> votes are counted correctly, then the verifiability is universally.
The tally can be verified, it seems, but not enough information has been
presented to distinguish between local vs universal verifiability in the
votehere.net system.
> 8. Receiptfreeness: A voter can't prove to a coercer, how he has
> voted. As a result, verifiable vote buying is impossible.
It appears that the votehere system does not satisfy this, since the vote
is published in encrypted form, so the voter can reveal the plaintext in
a verifiable way. Of course even if the system mathematically protected
against this you could still sell your vote by voting at home while the
vote buyer watched you.
Overall it looks like votehere.net does pretty well on these points.
Snake oil is a nasty phrase in this business. It's about the worst thing
you can say about a crypto related enterprise. Next time it would be
better to learn about the technology before commenting on it rather than
the other way around.
