Any ideas to make an Electronic Voter Machine more secure?
$begingroup$
EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?
encryption voting
edited 5 hours ago
D.W.
29.8k769146
asked 12 hours ago
aashikaashik
41
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?
encryption voting
edited 5 hours ago
D.W.
29.8k769146
asked 12 hours ago
aashikaashik
41
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
10 hours ago
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
5 hours ago
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
3 hours ago
add a comment |
$begingroup$
EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?
encryption voting
edited 5 hours ago
D.W.
29.8k769146
asked 12 hours ago
aashikaashik
41
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?
encryption voting
encryption voting
edited 5 hours ago
D.W.
29.8k769146
asked 12 hours ago
aashikaashik
41
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 5 hours ago
D.W.
29.8k769146
asked 12 hours ago
aashikaashik
41
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 5 hours ago
D.W.
29.8k769146
edited 5 hours ago
D.W.
29.8k769146
edited 5 hours ago
D.W.
29.8k769146
29.8k769146
asked 12 hours ago
aashikaashik
41
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 12 hours ago
aashikaashik
41
asked 12 hours ago
aashikaashik
41
41
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
aashik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
10 hours ago
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
5 hours ago
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
3 hours ago
add a comment |
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
10 hours ago
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
5 hours ago
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
3 hours ago
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
10 hours ago
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
10 hours ago
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
5 hours ago
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
5 hours ago
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
3 hours ago
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
3 hours ago
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.
- Count votes (or at least: determine if there was more yes than no) with the result public.
- Limit voting to one per registered voter.
- Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.
- Resist denial of service.
- Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].
Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.
Alternatives have been tried:
- Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.
- Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.
The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.
[*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.
answered 9 hours ago
fgrieufgrieu
80.8k7172342
$endgroup$
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
9 hours ago
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
8 hours ago
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
7 hours ago
$begingroup$
@PaulUszak The identity is a main issue. Also, if you want, you can use a temporarily permanent ink (like silver nitrate) to distingused voted users with not voted. There is nothing can prevent someone to sell his vote. The system in France, prevents the chain voting.
$endgroup$
– kelalaka
7 hours ago
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
7 hours ago
|
show 1 more comment
$begingroup$
I will give some links;
- E-voting experiments end in Norway amid security fears
- If it ain’t broke, don’t fix it: Australia should stay away from electronic voting
- DEFCON 25 Voting Machine Hacking Village
- Hacking a US electronic voting booth takes less than 90 minutes
- Voting - What Is, What Could Be (2001)
- Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)
The last two is taken from the Caltech/MIT Voting Technology Project (VTP)
answered 6 hours ago
kelalakakelalaka
8,19822351
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
aashik is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67801%2fany-ideas-to-make-an-electronic-voter-machine-more-secure%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.
- Count votes (or at least: determine if there was more yes than no) with the result public.
- Limit voting to one per registered voter.
- Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.
- Resist denial of service.
- Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].
Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.
Alternatives have been tried:
- Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.
- Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.
The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.
[*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.
answered 9 hours ago
fgrieufgrieu
80.8k7172342
$endgroup$
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
9 hours ago
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
8 hours ago
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
7 hours ago
$begingroup$
@PaulUszak The identity is a main issue. Also, if you want, you can use a temporarily permanent ink (like silver nitrate) to distingused voted users with not voted. There is nothing can prevent someone to sell his vote. The system in France, prevents the chain voting.
$endgroup$
– kelalaka
7 hours ago
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
7 hours ago
|
show 1 more comment
$begingroup$
We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.
- Count votes (or at least: determine if there was more yes than no) with the result public.
- Limit voting to one per registered voter.
- Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.
- Resist denial of service.
- Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].
Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.
Alternatives have been tried:
- Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.
- Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.
The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.
[*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.
answered 9 hours ago
fgrieufgrieu
80.8k7172342
$endgroup$
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
9 hours ago
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
8 hours ago
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
7 hours ago
$begingroup$
@PaulUszak The identity is a main issue. Also, if you want, you can use a temporarily permanent ink (like silver nitrate) to distingused voted users with not voted. There is nothing can prevent someone to sell his vote. The system in France, prevents the chain voting.
$endgroup$
– kelalaka
7 hours ago
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
7 hours ago
|
show 1 more comment
$begingroup$
We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.
- Count votes (or at least: determine if there was more yes than no) with the result public.
- Limit voting to one per registered voter.
- Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.
- Resist denial of service.
- Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].
Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.
Alternatives have been tried:
- Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.
- Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.
The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.
[*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.
answered 9 hours ago
fgrieufgrieu
80.8k7172342
$endgroup$
We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.
- Count votes (or at least: determine if there was more yes than no) with the result public.
- Limit voting to one per registered voter.
- Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.
- Resist denial of service.
- Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].
Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.
Alternatives have been tried:
- Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.
- Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.
The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.
[*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.
answered 9 hours ago
fgrieufgrieu
80.8k7172342
edited 5 hours ago
answered 9 hours ago
fgrieufgrieu
80.8k7172342
answered 9 hours ago
fgrieufgrieu
80.8k7172342
answered 9 hours ago
fgrieufgrieu
80.8k7172342
80.8k7172342
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
9 hours ago
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
8 hours ago
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
7 hours ago
$begingroup$
@PaulUszak The identity is a main issue. Also, if you want, you can use a temporarily permanent ink (like silver nitrate) to distingused voted users with not voted. There is nothing can prevent someone to sell his vote. The system in France, prevents the chain voting.
$endgroup$
– kelalaka
7 hours ago
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
7 hours ago
|
show 1 more comment
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
9 hours ago
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
8 hours ago
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
7 hours ago
$begingroup$
@PaulUszak The identity is a main issue. Also, if you want, you can use a temporarily permanent ink (like silver nitrate) to distingused voted users with not voted. There is nothing can prevent someone to sell his vote. The system in France, prevents the chain voting.
$endgroup$
– kelalaka
7 hours ago
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
7 hours ago
1
1
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
9 hours ago
$begingroup$
Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
$endgroup$
– Paul Uszak
9 hours ago
2
2
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
8 hours ago
$begingroup$
In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
$endgroup$
– fgrieu
8 hours ago
1
1
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
7 hours ago
$begingroup$
Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
$endgroup$
– kelalaka
7 hours ago
$begingroup$
@PaulUszak The identity is a main issue. Also, if you want, you can use a temporarily permanent ink (like silver nitrate) to distingused voted users with not voted. There is nothing can prevent someone to sell his vote. The system in France, prevents the chain voting.
$endgroup$
– kelalaka
7 hours ago
$begingroup$
@PaulUszak The identity is a main issue. Also, if you want, you can use a temporarily permanent ink (like silver nitrate) to distingused voted users with not voted. There is nothing can prevent someone to sell his vote. The system in France, prevents the chain voting.
$endgroup$
– kelalaka
7 hours ago
2
2
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
7 hours ago
$begingroup$
@PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
$endgroup$
– Maeher
7 hours ago
|
show 1 more comment
$begingroup$
I will give some links;
- E-voting experiments end in Norway amid security fears
- If it ain’t broke, don’t fix it: Australia should stay away from electronic voting
- DEFCON 25 Voting Machine Hacking Village
- Hacking a US electronic voting booth takes less than 90 minutes
- Voting - What Is, What Could Be (2001)
- Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)
The last two is taken from the Caltech/MIT Voting Technology Project (VTP)
answered 6 hours ago
kelalakakelalaka
8,19822351
$endgroup$
add a comment |
$begingroup$
I will give some links;
- E-voting experiments end in Norway amid security fears
- If it ain’t broke, don’t fix it: Australia should stay away from electronic voting
- DEFCON 25 Voting Machine Hacking Village
- Hacking a US electronic voting booth takes less than 90 minutes
- Voting - What Is, What Could Be (2001)
- Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)
The last two is taken from the Caltech/MIT Voting Technology Project (VTP)
answered 6 hours ago
kelalakakelalaka
8,19822351
$endgroup$
add a comment |
$begingroup$
I will give some links;
- E-voting experiments end in Norway amid security fears
- If it ain’t broke, don’t fix it: Australia should stay away from electronic voting
- DEFCON 25 Voting Machine Hacking Village
- Hacking a US electronic voting booth takes less than 90 minutes
- Voting - What Is, What Could Be (2001)
- Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)
The last two is taken from the Caltech/MIT Voting Technology Project (VTP)
answered 6 hours ago
kelalakakelalaka
8,19822351
$endgroup$
I will give some links;
- E-voting experiments end in Norway amid security fears
- If it ain’t broke, don’t fix it: Australia should stay away from electronic voting
- DEFCON 25 Voting Machine Hacking Village
- Hacking a US electronic voting booth takes less than 90 minutes
- Voting - What Is, What Could Be (2001)
- Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)
The last two is taken from the Caltech/MIT Voting Technology Project (VTP)
answered 6 hours ago
kelalakakelalaka
8,19822351
answered 6 hours ago
kelalakakelalaka
8,19822351
answered 6 hours ago
kelalakakelalaka
8,19822351
answered 6 hours ago
kelalakakelalaka
8,19822351
8,19822351
add a comment |
add a comment |
aashik is a new contributor. Be nice, and check out our Code of Conduct.
aashik is a new contributor. Be nice, and check out our Code of Conduct.
aashik is a new contributor. Be nice, and check out our Code of Conduct.
aashik is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f67801%2fany-ideas-to-make-an-electronic-voter-machine-more-secure%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
10 hours ago
$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
5 hours ago
$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
3 hours ago