Page 386 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 386
J. Kelsey et al.
378
cannot cast a ballot and retain the modified sheet. This could be accomplished
by constructing the modified back sheet such that it looks normal to the human
eye but is unreadable to the scanner. Alternatively, the scanner could be involved
in the attack, and recognize the ballot ID as a tampered rear ballot that should
be rejected. In both cases the voter would have to obtain a new ballot and revote.
This attack can be prevented by including special procedures for the handling
of unscannable ballots. Unscannable ballots should be treated differently than
other invalid ballots. Voters must be allowed to keep an unmarked copy of the
unscannable ballot as a receipt and then be given an opportunity to vote again.
During the post-election audit, election officials should open the commitment to
the same half of the ballot the voter was given. The voter could use the receipt
to check whether this attack occurred by comparing the opened commitment to
the ballot receipt. The commitment to the other half should remain unopened
in order to protect against coercion attacks.
Variations of this attack can be applied to other E2E schemes. A similar attack
can be applied to Prˆet-`a-voter with the cooperation of ballot scanners. However,
this attack appears much less likely to go unnoticed in practice. In this case,
the right-hand side of the ballot would be altered by swapping the names of
two candidates. Attackers would also modify ballot scanners so that they would
respond with an error when modified ballots are audited.
4 Incentives, Voter Coercion and Vote Selling
Voter coercion attacks aim to give one person undue influence over another
person’s vote. Often, the attacker influences the voter by rewarding the voter
for voting for a particular candidate or punishing the voter for failing to do so.
However, as attackers can also seek to influence votes rather than force them,
it is acceptable for coercion attacks to provide an incentive toward voting a
particular way. This observation opens the door for a wide variety of attacks
that, while not perfect, can be effective at influencing voters.
Voter coercion is inherently a contract. Voters agree to vote a particular way
in exchange for a reward or to avoid punishment. A successful attack requires a
way to enforce the contract. The goal of a coercion attack is to create a protocol
between a coercer and voter that tends to reward voters that vote correctly. A
protocol need not be perfect. It may occasionally reward voters incorrectly that
voted for the wrong candidate. As long as the probability of being rewarded is
higher when a voter votes correctly, the protocol will provide an incentive for
voters to vote correctly. Alternatively, a protocol may occasionally fail to reward
voters that vote correctly. Protocols that never fail to reward honest voters can
be considered contract enforcement protocols. In this case, all voters failing to
3
be rewarded by the protocol could be punished severely , knowing that only
dishonest voters would be punished.
3
A real world example of such punishment comes from the days of machine politics
in the United States, where city or state employees’ jobs could depend on voting the
right way.
