Page 31 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 31
The Witness-Voting System
23
bug, or a non-intrusive electromagnetic eavesdropping device that would record
all N keys for latter reuse without ever physically penetrating the platform). To
work, this method also depends on non-physical assumptions, including that the
election officials shall use independent judgment, cannot be coerced or intimi-
dated, are not bound by a conflicting trust commitment such as of a military,
political or religious nature, do not constitute a cabal, and have a minimum
level of honesty to resist collusion. It also assumes that the control system that
enforces the threshold of collusion cannot be corrupted. The quorum method
depends on a number of assumptions that in general are not revealed to the
voters and are likely not suitable for public elections. This practice also fails to
protect voter privacy under court or administrative order (when all keys and
secrets must be revealed).
Information-theoretic privacy: Exemplified by election systems in which
there is no reliance on cryptography in order to protect privacy (e.g., no re-
liance on public-key encryption). It defines a privacy strength that cannot be
broken by computation, even with unbounded time and resources. Information-
theoretic privacy, however, fails in the following examples: (a) parties share keys
in advance and use one-time pads, which is impractical and subject to collu-
sion (when keys are revealed); (b) parties share physically protected channels,
which fails against collusion where the channel is compromised (also without de-
tection); (c) parties share information (via secret-sharing techniques) and they
are assumed not to pool it together, which fails against collusion. Information-
theoretic privacy also cannot protect voter privacy in the case of a court order
that mandates revealing all keys and secrets used in the system.
Fail-safe privacy: Defined in [40] for election systems where voter privacy
cannot be compromised even if everything fails including software and hardware,
everyone colludes and there is a court order that mandates revealing all keys and
secrets used in the system. Current paper ballot voting systems can provide fail-
safe voter privacy. 30
7.2 Summary of Requirements
These Requirements are an extension of our previous work [40] and apply to
voting systems and rules of any type. In terms of systems architecture, our goal
is that the Requirements present a comprehensive consideration as to what is
to be done (functional), how well a voting system is to perform (performance)
and under what conditions it is to operate (environmental and non-functional).
Requirements are created and dictated by the goal of minimizing interference.
30
Fingerprints and DNA may be left on paper ballots by voters. If not prevented (e.g.,
by using a selection mask), this could be used to compromise privacy. However, the
cost and resources in mounting such an analysis has been a deterrent in practice.
Another way to compromise privacy is by matching paper fibers alongside a tear-off
boundary, for paper ballots that provide a “receipt” to voters; this would, however,
require the cooperation of the voter.
