Page 28 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 28
20
E. Gerck
than the voted ballot kept solely under EO control. However, one “strong” evi-
dence can never be perfectly strong —it may, and will, fail. The objective of the
WVS is thus not to rely on one “strong” evidence, which can never be perfectly
strong, but to rely on several, mostly independent evidences.
Instead of saying “all parts are perfect” or “there really has to be security
on every single piece”, which is impossible to obtain as one piece will inevitably
be the weakest link, we say “there really has to be one or more alternate secure
paths in case any single piece fails, because fail it may”.
Instead of a “Fort Knox” approach (“make it stronger”) that relies on what
becomes a single point of failure (or congestion), this approach calls for a mesh of
links such that a number of links may fail at the same time without compromising
accuracy, reliability, and voter privacy.
The same solution applies to preventing faults and fraud, but we start with
a “Default Denial” policy that also originates from trust considerations —trust
is earned [15]. In other words, everything is denied until acceptable proof that
it should not be. And acceptable proof must come in more than one way, and
must be verified in more than one way, as qualified reliance on information [15]
(see Table 3, Trust Conditions).
6.5 Preferred Setup
The VITM is based on our Information Transfer Model (ITM) [16], which uses
the conceptual separation of a subject into witness-objects (observable entities,
as witnesses or references for chosen properties of the subject) and reader-objects
(observer entities, as adequate readers of the witnesses).
To implement the VITM in a preferred setup that can be directly imple-
mented as a Witness-Voting System (WVS, Section 8), we analyze the voting
process and define a first subject property to be the election outcome. During the
election, witness-objects will witness events and then become available as ob-
servable entities for reader-objects at specific time periods, including for tallying
and auditing.
Next, we define the witness-objects (hereafter, witnesses) and reader-objects
(hereafter, readers) that the verifiers need to establish. Further consideration
is provided in Section 8.3. Independently of any witnesses and readers set up
by a particular verifier called the Election Operator (EO), the VITM allows
witnesses and readers to be added at any step of the process by other verifiers.
The witnesses and readers shall be designed to be privacy-preserving, so that
there is less limitation who the verifiers may be or how they are supposed to act.
If verifiers wish to add more witnesses (readers) than what may be desirable
in terms of a practical design, a cut-and-choose strategy can be applied to allow
a smaller number of witnesses (readers) to be chosen without bias. To reduce
complexity, the end-to-end argument 28 can be used to preferably place witnesses,
for example, at the start point A (what the voter sees and casts) and the end
point B (the tally results).
28
Instead of demanding complete and correct control at every intermediate step,
control the end points [44].
