Concerns about the election process


This falls under the category of "concerns about the election process".
It's a bit of a nit-pick.

I'm writing about two concerns.  The two concerns are secrecy of the
vote (nobody can discover who I voted for) and security of the vote
(nobody can tamper with the results without being discovered).


I will first discuss security.  This issue is easy to fix and should be
fixed for the next elections.

It is clear that an attempt has been made toward security.  The use of
anonymous tokens are provided to allow each concerned voter to be sure
that their vote has been counted properly.

  - step 4 is a confirmation that your vote has been accepted and gives
    you the anonymous token that will enable you to verify your vote.

This is insecure.

As a voter, how do I know that my "token" isn't just a deterministic
hash of my choices?  The people running the election could then easily
just publish my choices along with this token once for every person who
chose the same way that I did.  Essentially, I don't know if my vote is
really my vote at all, so I have no reason to believe that my vote has
been counted.

The only way of discovering this would be to talk with others about my
choices and even then it's only a single collision which could easily be
put off as voter error.  Discovering the corruption of those holding the
voting process would require a massive public disclosure of who everyone
voted for.

All reasonably secret voting systems must dismiss single users claiming
errors (since otherwise someone could change their mind and cause the
election to be held again).  It should take a large number of people
claiming inconsistencies in order for real doubt to be cast on the

Now of course, I trust those running the elections.  It's just that if
you are going to go to the effort of attempting to prove that the
process is secure against tampering then you should actually prove it.

A secure process would be to allow the voter to provide their own
anonymous token.  This token could be any string or could be limited to
a hexadecimal number of an exact (reasonable) size.  To make the process
easier, a Javascript "Generate" button could be used to generate this
random number.  The source of the Javascript could be inspected, and for
the truly paranoid there would still be the possibility of entering your
own token.

The voter could then be sure that with a vanishingly low chance of a
collision, that their vote is in fact their vote.


The second problem is secrecy.  This problem is a lot more difficult to
fix in a reasonable manner and maybe should not be fixed at all.  The
problem stems from the fact that the voting web application could
trivially be augmented to create a log of each voter and their choices.

A possible workaround for this limitation is the idea of a
blinded-signature scheme.  Under this scheme, it is possible to have an
entity sign a document without being able to view it.  The voting
process then proceeds something like this:

A voter generates a random voting token of a specific format (in this
case, it would likely be the same random token as used in the vote
security process outlined above).  They "blind" this token and send it
along with traditional credentials (like email address and voting key,
or possibly PGP signature from their email address) to a ballot signing
authority.  The ballot signing authority ensures that this is the only
signing request that the user has made, signs their ballot and returns
it to them.

The token is of a specific format to prevent certain types of attacks in
which it might be possible (depending on the blinding scheme used) to
obtain a signature that is valid for multiple messages.

The signing authority can log all of the ballets that it has signed (and
in fact it probably should, to allow recovery of lost ballots).

The voter then "unblinds" their ballot, receiving their original voting
token.  They vote with this token.  The election is held by possibly the
same person who did the blind signature.

Because of the blinding process, it is possible for the people holding
the elections to ensure that the ballot is legitimate but absolutely
impossible to link it with a specific person.  The people holding the
election record each unique token used to vote in order to ensure that
multiple voting does not occur.

I've been intentionally vague about the specific algorithms used to do
blind signatures because there are a lot of them.  The entire process is
also explained in much more detail here:


These are my two concerns.  Please take the first half of this email
very seriously and the second half as a pie-in-the-sky idea that might
be nice eventually if somebody has a lot of time.  It's only recently
that GNOME has had anonymous voting at all, so voter secrecy is a
somewhat less important issue than the security of the vote.

I'd like to take a moment here to acknowledge Baris and everyone else
who has been involved in the election process this year.  Thanks guys.
Without you, there wouldn't even be a vote to speak of.


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]