Page 32 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 32
E. Gerck
24
1. Fail-safe voter privacy. The inability to link voters with votes is required.
Voter privacy MUST be assured even if everything fails to function properly, or
is forced to function improperly, everyone colludes and there is a court order to
reveal all election data, without time limitation.
2. Collusion-free vote secrecy. The inability to know individual votes is
required. Vote secrecy MUST be assured even if all election means (e.g., voted
ballots) and security keys are made known by an attack or a fault (i.e., vote
secrecy MUST NOT depend only on communication protocol and cryptographic
assumptions, or on a threshold of collusion for the key holders).
3. Verifiable election integrity. The inability of any number of parties
to influence the outcome of an election except by properly voting is required.
The system MUST provide verifiability that each vote tallied originated from an
eligible voter and that all votes are tallied as seen and cast by voters. For any
voter the system MUST also provide verifiability that there is one and only one
valid ballot cast by the voter in the ballot box.
4. Fail-safe privacy in verification. Voters MUST NOT have to disclose
their identity in order to verify their votes or report a perceived error. Fail-safe
voter privacy (Requirement #1) MUST be preserved even when voters partici-
pate in a verification process.
5. Physical recounting and auditing. MUST provide for reliability in
auditing and vote recounting, with an error rate as low as desired. The auditing
and vote proofs MUST be capable of being physically stored offline and verified
for integrity in real-time during the election, without compromising any other
Requirement and allowing effective human verification.
6. 100% accuracy. Each vote or absence of vote (blank vote) MUST be
correctly counted, with accuracy (spread of a single measurement) error as close
to zero as desired. Counting and recounting ballots MUST NOT reduce accuracy.
7. Manifold of links (mesh system). MUST use a manifold (mesh) of
redundant links and keys to securely define, authenticate and control ballots.
MUST avoid single points of failure or congestion —even if improbable.
8. Offline secure control structure. MUST provide an offline secure end-
to-end control structure for presenting and collecting information from voters
(e.g., ballots). MAY use digital certificates under a single issuing authority. The
control MUST be data-, representation-, and language-independent.
9. Authenticated choice representation. The representations of the
choices available to each voter, including ballot style and ballot rotation if ballots
are used, MUST be authenticated and MUST be provided with a control means
that also authenticates the voter.
10. Authenticated user-defined presentation. If voters MAY choose lan-
guage, font size, layout, display format, and other presentation properties, the
choices MUST be authenticated but SHOULD NOT be provided with a control
means that also authenticates the voter.
11. Allow voter to review and change choices before casting ballot.
MUST allow voters to review and change choices from “vote” to “blank vote” or
