Page 12 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 12
E. Gerck
4
Witness and reader elements are verifiable to be free from errors, but there
is no requirement for all elements to be perfect or even perfectly independent.
Perfection of each human and each element of hardware and software is not
required. In fact, we know that all elements are somewhat imperfect. The security
paradigm that the weakest link defines the security of the system does not apply.
3
Rather, a central aspect of the WVS is that there should be enough multiple
correction channels (C) providing feedback in order to enable the WVS to offset
the influence of interference from error channels (E) caused by faults, attacks
and threats by adversaries, so that the election outcome error can be reduced to
a value as close to zero as desired, which we call error-free.
In other words, the WVS can achieve an error-free election outcome by op-
timally preempting, or at least resolving, any dispute regarding accuracy, relia-
bility, voter privacy, and election outcome trustworthiness.
2.1 Trust Is Good, Control Is Better
Trust can be viewed as that which can break a security design [15]. In other
words, when I trust A on matters of X, if that trust fails then I have to assume
that “matters of X” can take on any possible value. With possible exceptions, it
is better to control than to trust [15]. Thus, with the WVS, no one is asked to
trust a particular witness, reader, or even a particular procedure.
To comply with these goals, the WVS allows witnesses and readers to be inde-
pendently controlled by each stakeholder, so that they do not need to be trusted
by that party. Cryptography is not used in any role where it must be trusted
by a party —trust cannot be imposed [15]. Cryptography can, however, be used
where each party agrees to it, for example in using public-key cryptography to
protect the information collected by that party’s witnesses in such a way that
the resulting information confidentiality is acceptable by any party. Alterna-
tively, acceptable physical controls can be used.
2.2 Concept Appeal
Intuitively, as more witnesses are considered, it becomes less likely that all wit-
nesses can be compromised at the same time. More Witnesses = Better Evidence.
The idea that multiple correction channels can be used to offset errors caused
by fraud was already known some 500 years ago in the context of combating
corruption. 4
Formally, the WVS and the error-free result are based on the well-known
Information Theory [9, 11], a mathematical representation of the conditions and
parameters affecting the transmission and processing of information, which has
been applied as a natural answer to questions in fields as diverse as cryptography
and linguistics [10], optics [12] and portfolio theory [13].
3
Qualified as C ≥ E, see Section 6.3, Error-Free Condition.
4
Hindu governments of the Mogul period, notwithstanding the additional efforts, used
at least three parallel reporting channels to survey their provinces with some degree
of reliability [16].
