
How not to prove your election outcome [pdf] - pesterazor
https://people.eng.unimelb.edu.au/vjteague/HowNotToProveElectionOutcome.pdf
======
brownbat
Key:

> "Although it would be informally apparent that something had gone wrong..."

ie, there's a spectrum of voting attacks. Ballot stuffing is more powerful
than ballot burning. If you can target specific districts or voters, then
ballot burning can have the same effect on the overall outcome, so it is still
incredibly serious, but just takes extra work. This is ballot burning.

> "it seems that our exploit would put the system in an “impossible state”,
> which would make it difficult to define a meaningful investigation process."

If I'm reading this right, ballot burning itself might have two subtypes --
invisible and leaving big messy scorch marks. This is the latter type. Still
serious, but different. You could DoS an election's integrity, forcing
emergency runoffs or stalling out democratic processes, or forcing a failover
to legacy systems that might be easier to launch higher level attacks against.

This will probably add to the antipathy against electronic voting systems, but
I don't blame Scytl-SwissPost for trying. Our current system features
disappearing ballot boxes, local level ballot design flaws, and relies on the
postal system for absentee ballots. Whatever the mix of media, part paper or
electronic, we need to be working towards something more cryptographically
sound.

[https://en.wikipedia.org/wiki/End-to-
end_auditable_voting_sy...](https://en.wikipedia.org/wiki/End-to-
end_auditable_voting_systems)

~~~
jacques_chester
> _I don 't blame Scytl-SwissPost for trying._

I do.

> _Our current system features disappearing ballot boxes, local level ballot
> design flaws, and relies on the postal system for absentee ballots._

None of these are fixed by electronic voting.

They are fixed by fixing them.

~~~
brownbat
Based on the dismissive tone, you might not really be interested in any
discussion here, so apologies if I'm throwing gas on a fire.

But we have different takes on how to solve those problems, so I want a shot
at clarifying my position, and I'm genuinely interested in what your
(nonelectronic) solutions might be.

The problems I pointed out are the sort of problems that stem from requiring
that we trust untrustworthy third parties. Now, it's not like USPS is
nefarious, just that they sometimes lose or misdeliver letters without
informing the sender. Local officials who manipulate vote counts by losing
boxes or prefilling absentee ballots... well, less innocent.

If you're talking about ensuring the integrity and availability of
information, or controlling who can see or alter it, you're really talking
about a problem in cryptography.

"Fix this by fixing them"

We certainly wouldn't have these problems if we could just demand that
everyone engage in trustworthy behavior. That's always true for problems in
information theory, or cryptography more generally. And we should back any
framework with a strong legal framework to punish manipulation of elections.
Vote tampering is illegal, but we should make sure those laws are effective.

More generally though, if we could just rely on "demand all parties are
trustworthy" as a cryptographic primitive, then all protocols would be
trivial.

Imagine if the typical take on electronic voting was applied to any other area
of cryptography.

"I don't trust encryption schemes unless they are done on paper and
administered by my local government!"

It would sound odd, right? Why this one?

I think we got here as a community as a reaction to governments and equipment
makers like Diebold making claims about electronic voting that sounded like
they believed in or were lying to the public about perfect security. Obviously
anyone claiming their system is unhackable is trying to con someone.

On the other hand, distributed paper voting as a protocol has a ton of failure
points too. And (electronic) cryptography could help with some of those
issues. (You don't have to go all electronic. You can keep paper for some
parts of the process where paper works best.)

So I've come around to a third way. We need to get past "paper is the answer"
or "electrons are the answer" and get to a place where we are honest about the
flaws in all systems, we lay out the properties of elections we want to
safeguard, and figure out the best protocols and mediums and even UX to get us
there.

Seriously though, if you have good incremental ideas for fixing how we do
absentee ballots, I'm definitely open to hear more good ideas. And we'll
definitely want small steps, rather than diving into any radical changes that
suddenly break the system.

~~~
jacques_chester
> _We certainly wouldn 't have these problems if we could just demand that
> everyone engage in trustworthy behavior._

Do you think this is how paper ballots work?

> _It would sound odd, right? Why this one?_

Because ballots require both ballot secrecy and democratic legitimacy. You
can't have both in an electronic voting system. Cryptographic schemes either
claim perfect mixing and anonymisation, in which case it's impossible to
detect shenanigans. Or they don't have perfect mixing and anonymisation, in
which case it's possible to pierce ballot secrecy.

Paper is unwieldy and you can insert many mutually-distrustful humans into
many steps. This makes it exponentially more difficult to subvert at scale
without detection.

These are features. Please can we just take a moment to accept that sometimes,
_atoms are better than electrons_.

~~~
brownbat
Some interesting points, thanks for the reply.

> Do you think this is how paper ballots work?

It was definitely a hyperbole. But I think there is a lot of assumption of
trust in the status quo, and I think we are frequently let down by that
assumption. Not all the time. It's not an apocalypse. But we could do better.

> more difficult to subvert at scale

That's a great point. If you have a single point of failure through E2E, then
individual attacks are much more significant.

Nationwide elections are often decided by a handful of key districts though.
And the different systems in all these districts can make it hard to detect
whether things are broken by design or coincidence. Tools from distributed
consensus could make tampering more obvious in one large system.

But you're right, in general E2E makes this harder, not easier.

> ballots require both ballot secrecy and democratic legitimacy

100% agree. But this is an issue for paper too. If we allow paper receipts,
you can later verify your vote, but you can also sell the receipt, destroying
the secret ballot.

Secrecy and verifiability seem impossible to reconcile at first glance. But
there are actually ways to do this through repudiation that might work for
either paper or electronic voting.

Estonia's model has other flaws, but had an interesting solution here. They
went as far as internet voting. So, worst case, imagine the local boss is at
your apartment with a gun to your head, you vote online. But the trick was,
any time after that you could walk into a polling place and cast an overriding
vote that cancels the earlier vote. That's just one example of this technique,
and weeks long elections probably wouldn't work for our system. But the
general idea of repudiation or false votes is a useful tool.

With paper receipts, you could allow citizens to print false receipts at the
polls as well, then that would preserve the secret ballot. Unfortunately it
could also make it impossible for them to prove miscounting.

If the FEC and the voter had two shared secrets, one that unlocks the true
vote and one that unlocks a false vote, you could accomplish both goals. You
could have a deniable vote, but where the voter and the FEC could only prove
to each other which one was correct.

I'm not sure you get the same guarantees with paper at scale. But maybe
receipts with dummy receipts would get close enough.

I think another argument you could make is based on federalism. We currently
have a system that guarantees every local polity can make whatever decisions
they want about how to run their elections, out of a respect for distributed
powers. E2E is not a good solution if we just have a hard requirement for
distributed management of elections.

Appreciate the response. I am still grappling with a lot of these issues, and
place enormous value on getting the conversation away from "paper good,
electrons bad" to an open discussion of why we all have those really strong
assumptions.

~~~
jakeogh
We are as a species electronics noobs. Applying our new shiny toys to
everything is natural.

Electronic voting lowers the bar because it moves away from physical
representation of people and ballots. Mail-in makes it easier to game for the
same reason.

