Page 39 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 39
The Witness-Voting System
31
foundation for presenting the Witness-Voting System (WVS) later in 2001 [14],
now extended in this work.
The components [VITM, Requirements, WVS], which provide the framework
used here, are based on our 1997 extensions of Information Theory: (1) we include
interference caused by faults as well as attacks and threats (adversaries) [16] in
the concept of noise; (2) we add the concept of trust [15]; and (3) we define an
Information Transfer Model (ITM) [16]. Extensions (1) and (2) are commented
in Sections 6.2 and 6.4, while extension (3) is used in Section 6. The ITM uses (1)
and (2) to achieve measurements with an error as small as desired in the presence
of fault, security and threat considerations. The ITM has been in continuous
development and, recently, the ITM was applied to qualitatively improve privacy
and security in email communications [48].
8.3 Witnesses and Readers
The WVS uses the VITM, which is a model based on observables (i.e., witnesses
or references) and observers (i.e., adequate readers of the witnesses).
Witnesses and readers may be “public” (i.e., independently accessible) or
restricted to a set of parties (e.g., within a qualified security boundary). For
transparency, often witnesses should be public, meaning that multiple parties
(possibly also adversaries) are able to access them. The WVS design is open to
the inclusion of public witnesses and readers, which more easily invites stake-
holders to be part of the election setup and assures transparency regarding any
step that may be seen as critical to the trustworthiness of the election’s outcome.
Further consideration is provided in [16].
A reader allows the information contained in the witnesses to be properly used
by a verifier; thus witnesses and readers must be “adequate”. However, perfect
functionality or full independence are not required in order for witnesses and
readers to be useful in reducing the effects of errors and fraud (see Sections 6.3
and 6.4).
An important question is what can we trust if both the software and the
hardware cannot be trusted? It is well-known that software cannot be trusted
[49]. The same applies to hardware, where counterfeit or malicious components 34
can compromise the very platform where an otherwise trusted software runs.
Attacks such as defined in [49] and [50] are included in the definition of in-
terference used in this work and presented in Section 6.2. Accordingly, the re-
dundancy and diversity in the VITM/WVS design can increase reliability and
combat perturbations caused by such attacks. The number of different compo-
nents and implementations that we need to use, and how diverse they may be,
is set and adjusted operationally by the Error-Free Condition (Section 6.3) and
correction channel considerations (Section 6.4). As noted in Section 6.4, the oft-
cited security paradigm “the weakest link defines the security of the system” does
not apply here.
34
This threat is not new and defenses already exist (e.g., the MIL-SPEC process,
Orange Book). However, as shown in the work of King et. al. [50], suchanattack is
becoming easier to create and more difficult to detect.
