Page 27 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 27
27
by even a small fraction of the voters (e.g., 5%)
can be effective in detecting
errors and create a credible deterrent to fraud. Thus, when properly done, voter
verification by even a small fraction of the voters can help improve election
outcome trustworthiness for all voters. The Witness-Voting System 19
Another characteristic of a good voting system is freedom of choice. A voter
needs to be able to trust that she cannot be threatened, hurt, or even denied
something as a result of her vote choices. Election operators and the public in
general also need to be able to trust that voters cannot receive favors as a result
of their vote choices. To assure freedom of choice, the only person to whom
the vote should be proved is the voter himself. In other words, no one else and
certainly not the election operators should be able to prove how a voter voted.
Otherwise, the vote could be coerced or sold. Thus, no information channels
may exist allowing individual voters and ballots to be linkable. We call this the
unlinkability condition; even though voters and votes must each be identifiable,
they must not be linkable to each other.
In terms of electronic versus paper ballot voting systems, the primary concern
for increasing reliability is the capacity of the correction channels compared with
the capacity of the error channels —not the physical properties of the medium
(e.g., paper) used in a communication channel. If an electronic voting system is
able to provide N proofs (human and machine based), these N proofs for some
value of N larger than one will become more reliable than one so-called “physical
proof” even if this one proof is engraved in gold or printed on paper. The make-
up of each channel’s carrier (e.g., paper, photons, electrons) is by itself irrelevant.
See [40] for further discussion on this topic.
To assure end-to-end trust, in addition to protect casting the ballot, one must
also protect the former steps in presenting the ballot as well as the latter steps
in tallying and auditing the ballot. This will be given as a set of Requirements
(Section 7) that work together in an end-to-end design. The concept of trust in
[15] has the same meaning in all the components [VITM, Requirements, WVS]
of the design. Different verifiers can also use different trust models (e.g., hierar-
chical, web-of-trust), which are all integrated (though not unified) through the
same trust definition, subsuming the physical and conceptual cases.
With potential applications to other security problems, we note that the oft-
cited security paradigm “the weakest link defines the security of the system” does
not apply here. We also do not rely on “perfect” parts or one “strong” evidence.
The WVS error-free design condition (see Section 6.3, Error-Free Condition) is
based on several, mostly independent (and possibly imperfect) evidences that
can build a correction channel with enough capacity so as to correct all but an
arbitrarily small fraction of the errors. This is a new security paradigm provided
by this approach [16, 17, 40, 41], which we call the mesh paradigm —a mesh
does not break if a link breaks.
With the WVS, one or more witnesses are used to capture the primary infor-
mation: what the voter sees and confirms on the screen. A primary information
witness may be used by itself as the voted ballot, possibly with better reliability
27
A conservative estimate obtained by applying the Saltman auditing model [43].
