Any ideas to make an Electronic Voter Machine more secure? [on hold]
$begingroup$
EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?
encryption voting
edited yesterday
D.W.
29.8k769146
asked yesterday
aashikaashik
91
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
put on hold as too broad by Maeher, D.W., Squeamish Ossifrage, Geoffroy Couteau, Maarten Bodewes♦ 5 hours ago
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
$begingroup$
EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?
encryption voting
edited yesterday
D.W.
29.8k769146
asked yesterday
aashikaashik
91
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
put on hold as too broad by Maeher, D.W., Squeamish Ossifrage, Geoffroy Couteau, Maarten Bodewes♦ 5 hours ago
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
yesterday
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
yesterday
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
yesterday
$begingroup$
@PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
$endgroup$
– forest
18 hours ago
add a comment |
$begingroup$
EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?
encryption voting
edited yesterday
D.W.
29.8k769146
asked yesterday
aashikaashik
91
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?
encryption voting
encryption voting
edited yesterday
D.W.
29.8k769146
asked yesterday
aashikaashik
91
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
D.W.
29.8k769146
asked yesterday
aashikaashik
91
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
D.W.
29.8k769146
edited yesterday
D.W.
29.8k769146
edited yesterday
D.W.
29.8k769146
29.8k769146
asked yesterday
aashikaashik
91
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
aashikaashik
91
asked yesterday
aashikaashik
91
91
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as too broad by Maeher, D.W., Squeamish Ossifrage, Geoffroy Couteau, Maarten Bodewes♦ 5 hours ago
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
put on hold as too broad by Maeher, D.W., Squeamish Ossifrage, Geoffroy Couteau, Maarten Bodewes♦ 5 hours ago
Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
yesterday
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
yesterday
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
yesterday
$begingroup$
@PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
$endgroup$
– forest
18 hours ago
add a comment |
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
yesterday
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
yesterday
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
yesterday
$begingroup$
@PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
$endgroup$
– forest
18 hours ago
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
yesterday
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
yesterday
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
yesterday
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
yesterday
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
yesterday
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
yesterday
$begingroup$
@PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
$endgroup$
– forest
18 hours ago
$begingroup$
@PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
$endgroup$
– forest
18 hours ago
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.
- Count votes (or at least: determine if there was more yes than no) with the result public.
- Limit voting to one per registered voter.
- Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.
- Resist denial of service.
- Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].
Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.
Alternatives have been tried:
- Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.
- Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.
The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.
[*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.
answered yesterday
fgrieufgrieu
80.9k7172342
$endgroup$
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
yesterday
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
yesterday
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
yesterday
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
yesterday
2
$begingroup$
+1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
$endgroup$
– poncho
yesterday
|
show 1 more comment
$begingroup$
I will give some links;
- E-voting experiments end in Norway amid security fears
- If it ain’t broke, don’t fix it: Australia should stay away from electronic voting
- DEFCON 25 Voting Machine Hacking Village
- Hacking a US electronic voting booth takes less than 90 minutes
- Voting - What Is, What Could Be (2001)
- Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)
The last two is taken from the Caltech/MIT Voting Technology Project (VTP)
answered yesterday
kelalakakelalaka
8,22322351
$endgroup$
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.
- Count votes (or at least: determine if there was more yes than no) with the result public.
- Limit voting to one per registered voter.
- Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.
- Resist denial of service.
- Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].
Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.
Alternatives have been tried:
- Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.
- Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.
The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.
[*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.
answered yesterday
fgrieufgrieu
80.9k7172342
$endgroup$
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
yesterday
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
yesterday
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
yesterday
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
yesterday
2
$begingroup$
+1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
$endgroup$
– poncho
yesterday
|
show 1 more comment
$begingroup$
We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.
- Count votes (or at least: determine if there was more yes than no) with the result public.
- Limit voting to one per registered voter.
- Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.
- Resist denial of service.
- Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].
Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.
Alternatives have been tried:
- Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.
- Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.
The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.
[*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.
answered yesterday
fgrieufgrieu
80.9k7172342
$endgroup$
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
yesterday
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
yesterday
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
yesterday
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
yesterday
2
$begingroup$
+1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
$endgroup$
– poncho
yesterday
|
show 1 more comment
$begingroup$
We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.
- Count votes (or at least: determine if there was more yes than no) with the result public.
- Limit voting to one per registered voter.
- Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.
- Resist denial of service.
- Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].
Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.
Alternatives have been tried:
- Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.
- Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.
The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.
[*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.
answered yesterday
fgrieufgrieu
80.9k7172342
$endgroup$
We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.
- Count votes (or at least: determine if there was more yes than no) with the result public.
- Limit voting to one per registered voter.
- Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.
- Resist denial of service.
- Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].
Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.
Alternatives have been tried:
- Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.
- Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.
The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.
[*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.
answered yesterday
fgrieufgrieu
80.9k7172342
edited yesterday
answered yesterday
fgrieufgrieu
80.9k7172342
answered yesterday
fgrieufgrieu
80.9k7172342
answered yesterday
fgrieufgrieu
80.9k7172342
80.9k7172342
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
yesterday
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
yesterday
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
yesterday
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
yesterday
2
$begingroup$
+1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
$endgroup$
– poncho
yesterday
|
show 1 more comment
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
yesterday
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
yesterday
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
yesterday
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
yesterday
2
$begingroup$
+1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
$endgroup$
– poncho
yesterday
1
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
yesterday
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
yesterday
2
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
yesterday
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
yesterday
1
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
yesterday
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
yesterday
2
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
yesterday
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
yesterday
2
2
$begingroup$
+1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
$endgroup$
– poncho
yesterday
$begingroup$
+1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
$endgroup$
– poncho
yesterday
|
show 1 more comment
$begingroup$
I will give some links;
- E-voting experiments end in Norway amid security fears
- If it ain’t broke, don’t fix it: Australia should stay away from electronic voting
- DEFCON 25 Voting Machine Hacking Village
- Hacking a US electronic voting booth takes less than 90 minutes
- Voting - What Is, What Could Be (2001)
- Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)
The last two is taken from the Caltech/MIT Voting Technology Project (VTP)
answered yesterday
kelalakakelalaka
8,22322351
$endgroup$
add a comment |
$begingroup$
I will give some links;
- E-voting experiments end in Norway amid security fears
- If it ain’t broke, don’t fix it: Australia should stay away from electronic voting
- DEFCON 25 Voting Machine Hacking Village
- Hacking a US electronic voting booth takes less than 90 minutes
- Voting - What Is, What Could Be (2001)
- Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)
The last two is taken from the Caltech/MIT Voting Technology Project (VTP)
answered yesterday
kelalakakelalaka
8,22322351
$endgroup$
add a comment |
$begingroup$
I will give some links;
- E-voting experiments end in Norway amid security fears
- If it ain’t broke, don’t fix it: Australia should stay away from electronic voting
- DEFCON 25 Voting Machine Hacking Village
- Hacking a US electronic voting booth takes less than 90 minutes
- Voting - What Is, What Could Be (2001)
- Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)
The last two is taken from the Caltech/MIT Voting Technology Project (VTP)
answered yesterday
kelalakakelalaka
8,22322351
$endgroup$
I will give some links;
- E-voting experiments end in Norway amid security fears
- If it ain’t broke, don’t fix it: Australia should stay away from electronic voting
- DEFCON 25 Voting Machine Hacking Village
- Hacking a US electronic voting booth takes less than 90 minutes
- Voting - What Is, What Could Be (2001)
- Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)
The last two is taken from the Caltech/MIT Voting Technology Project (VTP)
answered yesterday
kelalakakelalaka
8,22322351
answered yesterday
kelalakakelalaka
8,22322351
answered yesterday
kelalakakelalaka
8,22322351
answered yesterday
kelalakakelalaka
8,22322351
8,22322351
add a comment |
add a comment |
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
yesterday
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
yesterday
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
yesterday
$begingroup$
@PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
$endgroup$
– forest
18 hours ago