
Selene: Voter-Friendly, Receipt-Free Verification - ffwang2
https://medium.com/mit-security-seminar/selene-voter-friendly-receipt-free-verification-f05139155790
======
buro9
If it takes a 56 page PDF to explain, and an explanation on encryption... it's
too complex.

Just do it with paper, have multiple observers, never count to more than 10
(10 slips = 1 bundle, then count 10 bundles and make 1 large bundle, etc).

Basically, I like the UK way. It's not even slow, the whole country gets the
results before they wake up the next morning.

The whole thing can be verified, and it can be reverified easily later.

~~~
pasbesoin
It suddenly occurs to me: Another aspect of pervasive biometrics. The State --
or, private entity with sufficient influence to access the ballots (think
especially but not only at the local/regional level) -- scans the paper
ballots for prints. Suddenly, they know how you voted.

(DNA as well, I guess, but we are further away from having instant/economic
mass DNA scanning.)

~~~
IanCal
That's not a huge concern, since in the UK there's a record of voter id ->
ballot paper id kept. With access to that and the ballot papers you can tell
how everyone voted.

------
gervase
I don't think looking at this as a replacement for the existing ballot system
is the right way to look at it. For the kinds of elections that are currently
conducted, the current ballot systems may be sufficient, and even preferable,
as other posters have argued.

In my opinion, research into new, more technical voting systems are not about
our existing elections, but about new types of 'assessments of opinion' (AOO)
differentiated from the current understanding of an 'election'.

For example, current systems assume that 'elections' occur relatively
infrequently, are restricted to a certain number of choices, and that the
person voting is sharing only their own opinion.

However, if we wanted to implement a system in which legislative decisions
(proposing and passing laws, let's say) were made by the population as a
whole, possibly several times per day, in a geographically distributed manner
and supporting both direct and indirect delegation, any system that is
intrinsically based on a paper ballot is not a feasible solution. Perhaps we'd
also want to support conditional delegation as well; for example, this person
receives my vote for topics localized to a 30 mile radius, while person B
receives my vote for topics related to privacy protections, and so on (with
additional rules for preemption/disambiguation, etc).

It wouldn't even necessarily have to be used for traditional governance - it
could scale to be used for voting with a group of friends, a business, a
shared-interest group, etc.

This is obviously a very tricky problem to solve, particularly if you add
(optionally?) other requirements such as verifiability, secrecy, and so on. I
haven't read the full PDF posted by the author, but I think it's likely that
the proposed system solves only a portion of the problems described above,
given the complexity of the requirements.

That being said, I certainly don't think saying "paper is always the way to
go, because it's the simplest" or "these kinds of developments are solutions
in search of a problem" are constructive. Addressing the weaknesses of a
specific solution is one thing, but saying that the existing ballot system is
optimal (particularly given the audience of HN) is a surprising sentiment to
see here. Sufficiently long-standing problems (are capitols necessary?) may
not be immediately visible to us, but that doesn't mean they aren't there, and
we should strive to be open-minded - even towards imperfect solutions.

Just my 3 cents.

~~~
Natanael_L
It doesn't even have to have anything to do with the state. Votes in school
classes? On a corporate board? In games? A working secure anonymous voting
system could be useful everywhere.

My own sketch kind of "cheats" a little - I'm using Secure Multiparty
Computation to achieve a cryptographically protected opaque VM distributed
against mutually distrusting entities. This makes practically everything else
easy - vote input data can be anything, and you can have any imaginable type
of vote trivially. Per-choice scoring? Choice rankning? Switching is easy too.

[https://roamingaroundatrandom.wordpress.com/2014/06/16/an-
mp...](https://roamingaroundatrandom.wordpress.com/2014/06/16/an-mpc-based-
privacy-preserving-flexible-cryptographic-voting-scheme/)

Still only a blueprint, but technically possible. I'm going to look into how
this particular scheme works and see what they're doing different that could
be reused, if anything is applicable.

Edit: reading it now. Turns out their approach is remarkably similar to mine
on a high level! But their cryptographic constructions differ and is
definitely more advanced.

------
hliyan
The gist of the method of verification, from the linked slide deck:

    
    
       Typically, voters get a “protected receipt”, i.e. an 
       encrypted/encoded version of their vote.
    
       Cast receipts are posted to a secure web bulletin board. 
       Voters can verify that their receipt is correctly posted.
    
       A (universally) verifiable, anonymising tabulation is 
       performed on the posted receipts.

~~~
nickbauman
So there is a receipt but, in the interests of preventing tampering (?), the
voter won't be able to understand it.

It still requires a complex software system that no lay person (and no expert
in short order) can verify.

That problem remains and it isn't really a technical one. Any voting machine
has to be able to be verified using simple visual, mechanical inspection for
the people to trust it. More technology will only undermine trust further.

~~~
rspeer
My understanding is that this system is trying to solve one particular
problem: how can you be sure your vote was counted? A simple visual inspection
probably isn't enough to convince me that my ballot box won't be dropped off
the back of a truck later.

That said, I do have some question about how thoroughly it addresses that
problem.

A lot of the presentation is about difficult edge cases, such as how a voter
can falsely verify their vote to someone who's coercing them to vote a certain
way. This part seems quite complicated, but it kind of has to be. Maybe an
interest group could make step-by-step instructions available to groups of
voters who they think are likely to be coerced.

What I don't know from the presentation is, is the simple case understandable?
If I am a reasonably normal person who has never been to a key-signing party
and does not code El Gamal for fun, will I be able to verify my vote? Do I
need to personally do the math and computation that would verify my vote, or
would there be a usable, trustworthy app of some sort that does it?

Here's another threat model that they don't discuss: what if I don't like this
system and I want to undermine it, and I use a false verification code to say
"look, you counted my vote for the wrong candidate, this system is corrupt"?
Presumably nobody would be able to say I was wrong, and nobody would be able
to distinguish a real election flaw from my fictitious one.

~~~
nickbauman
A ballot box falling off the back of a truck is a voting system problem that
us utterly unrelated to the "verifiable voting mechanism" problem. Talking
about them in the same sentence this way obscures both problems.

~~~
rspeer
I mentioned it hyperbolically, as a way of saying a voting system being simple
and inspectable is not sufficient to make your vote verifiable.

------
nickpsecurity
buro9 hit the nail on the head. The most important, often neglected, issue is
that voters will understand and trust it. I've been digging through voting
schemes for a while trying to find this one requirement. Fortunately, I did
find one in a discussion on Schneier's blog:

Scantegrity voting scheme
[https://web.archive.org/web/20110324052432/http://www.scante...](https://web.archive.org/web/20110324052432/http://www.scantegrity.org/)

[https://web.archive.org/web/20110728002210/http://www.scante...](https://web.archive.org/web/20110728002210/http://www.scantegrity.org/learnmore.php)

I'd still like to see experts in cryptography and voting architecture do a
thorough evaluation of its security. However, the process is simple enough
that about any location should be able to implement it and about any person
use it. I mean, there might be modifications for accessibility reasons. Second
link has the papers.

Anyway, what do you all think about Scantegrity in general and as a default
recommendation for secure voting?

~~~
specialist
I manually worked thru a hypothetical election using Punchscan for my
jurisdiction. It didn't protect voter privacy.

With paper ballots, dropping your ballot into the ballot box is the secure
one-way hash (assuming enough people are voting).

The trick crypto systems do is hide your ballot within a herd of ballots,
using some kind of one way hash, assuming there will be hash collisions. Works
great with simple ballots (few races) and large numbers of voters.

Alas, in my jurisdiction, the smallest political (bookkeeping) unit is a
precinct (ranging from 0-1000 voters) and our ballots have 10-40 races. So
combinatorially, it's likely each ballot is uniquely identifiable.

A crypto systems _might_ work if our complex ballots were separated into more
simple ballots. Eg one each for national, statewide, county, and local races.

Rant: My primary grievance with proponents of crypto for voting is they do not
specify under which conditions their systems will and will not protect voter
privacy. That is very intellectually dishonest, with a dash of technophilia.

After studying this, extensively, crypto based voting systems for elections
are complete non-starter for me. I'd rather forfeit voter privacy than embrace
an inscrutable system that I can barely understand.

------
pyaryan
Did you know btw that in the UK your vote is not really private: there is a
serial number on the ballot that is noted down against your name in the
register?!

------
pyaryan
As the author of the Selene scheme and the talk i should add some
clarifications:

Selene is explicitly _not_ intended for high-stakes, binding votes to
elections. It amy be suitable for some forms of election, e.g. of officials of
professional bodies, student societies etc., in the way that say Helios has
been used. I want to stress that I, like many, in the verifiable voting domain
do not advocate internet voting for serious elections. we currently know of no
scheme that provides sufficient levels of verifiability, coercion resistance
and usability.

A primary goal of Selene is to make the verifiability step as simple and
understandable as possible. In contrast to most existing E2E verifiable
schemes voters do not have to handle encrypted ballots to perform the
verification, they simply look up their vote in the clear on the WBB using
their private tracker. Of course, making the verification so transparent, as
opposed to the usual practice of checking the presence of an encrypted ballot,
has its costs in terms of receipt-freeness and coercion resistance, but we
have tried as far as possible to mitigate these.

The scheme does use some fairly sophisticated crypto but as far as possible
this is all under the bonnet as far as the voter is concerned. Of course, to
understand the arguments for the security claims would require at least some
superficial understanding of the crypto, but my guess is that most voters will
not be that interested, or will be happy to accept the evaluation of experts.

I don't believe that it takes 59 or whatever slides to explain the key
features of the system:

there are constructions, transparent to the voter but verifiable by expert,
interested parties to guarantee

that no two voters get the same tracker.

There is a mechanism to notify voters of their tracker after the trackers and
votes have been posted in the clear.

The fact that voters learnt their tracker only after the posting of this
information helps mitigate the obvious coercion strategy: ask the voter to
reveal her tracker.

The notification is set up in such a way that a coercer voter can fake it to
appear to reveal an alternative tracker, pouting to the coercer's vote.

verifying your vote is simple: look up your tracker and check that the vote
alongside it is correct. and this is of course in any case optional, voters
can just vote and go.

much of the content of the slides is just discussing the background, contrast
with other E2E schemes etc.

A paper describing the scheme in detail will be available shortly. I welcome
feedback.

------
pyaryan
the scheme does not require 56 pages or whatever to explain. there is some
crypto under the bonnet that is designed to guarantee essentially the
following:

1 every vote will get a unique tracker number

2 the voter is notified of his or her tracker after the votes/trackers have
been posted to the Web Bulletin Board. This is to give a coerced voter the
chance to identify a tracker number that points to the coercer's required
vote.

3 each voter is notified of her/his tracker in a way that allows them to deny
it and claim another tracker that points to the vote demanded by the coercer
(which they identified in 2).

------
Zash
Can this system be understood and verified by a 5 year old?

~~~
waqf
Can a 5-year-old do a rigorous security analysis of a conventional paper
ballot as conducted by modern nation-states?

If not, then the appropriate standard for comparison is "Could this system
fool a 5-year-old?".

~~~
eli
No, but a five year old could understand the fundamentals of why a paper
ballot is secure, even if they do not evaluate the complete implementation.
This system is a little tricky just to understand conceptually.

And here's the thing: voter fraud is very rare. IMHO, _fear_ of voter fraud
causes many more problems than the fraud itself. It is therefore critical that
people understand and trust the voting system even if a more complex system is
otherwise safer.

