Page 21 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 21
The Witness-Voting System
13
We further distinguish interference with functional and performance influence
(hereafter called physical interference) from interference with environmental and
non-functional influence (hereafter called conceptual interference).
Conceptual interference must be observable in its effects but does not need
to exist physically; it may just stay as a threat. 18 Interference also presents
combined failure modes where an attack in one layer of the system can be used
to compromise another layer (e.g., a conceptual interference creating a physical
spurious change in the election outcome).
Our concept of interference captures any source that could perturb the election
outcome, including faults, attacks and threats by an adversary. 19
For example, passive eavesdropping on the voted ballot (e.g. by covertly moni-
toring the stray electromagnetic emissions from the computer screen used by the
voter) can enable coercion that may interfere with the election outcome. Yet if
performed from afar, undetectably and never overtly used to coerce or influence
voters, a passive attack such as eavesdropping can still be used to perturb the
election outcome (see footnote 7). In either case, passive eavesdropping can be
modeledas aninterference source interms of its influence on the output signal
(the received message; the election result).
Information Theory also includes the concept of interference, or noise,de-
fined as that which perturbs the signal. The usual case of interest is when the
signal does not always undergo the same change in transmission, when noise
may be considered a chance variable just as the message is considered. In gen-
eral, noise may be represented by a suitable stochastic process. However, it mat-
ters not whether noise always produces different changes in the received signal,
or where that change originates. A constant and 100% predictable radio signal
from an unknown source is also noise. Anything that interferes with the message
is noise.
We observe that interference (noise) in Information Theory corresponds to the
same concept defined here. As previously considered by us [16], the condition to
model attacks and faults as interference (noise) in a communication system is the
same one that already exists in Information Theory, namely, noise is anything
that interferes with the message.
In describing interference sources and prevention, it is customary to define
boundaries or spheres of influence. A first boundary comprises the voting means.
18 This is well-known to chess players, where perceived threats can be more effective to
change a game than actually carrying out an attack. A voter who fears that an attack
can reveal her choices, with unpleasant consequences, may not vote as intended even
if there is no such attack.
19
Including, for example, the influence of ambiguous ballot design, incorrect touch
screen coordinates, transmission and reception errors, faults, malfunctions, virus,
bugs, buffer overflow, dormant or hidden code, alpha particle memory corruption,
covert microcode, covert channels, human error, collusion, coercion, blackmail, finan-
cial kickbacks, fraud and any passive or active interference attempt by adversaries.
This may also include man-in-the-middle, eavesdropping, replay, impersonation,
forgery, and any other attacks by an adversary. Attacks may also adapt to defenses,
either automatically or driven by an intelligent source [16].
