xkcd

[userxp]

I was thinking if there is a way to modernize elections. Some countries already use e-voting, but that has raised the concern that the manufacturer of the machines (perhaps forced by the government) could alter the software to modify the results. The problem is that with one central organization controlling all the system, it's easy to manipulate any elections.

I was wondering if there could be any secure distributed network (something like TOR, Freenet...) that could guarantee that nobody can access any significant percentage of votes. Citizens would vote by downloading a voting program on their own computer, or if they are especially paranoid, downloading the source code and compiling it. In addition, online voting would be much cheaper than physical voting.

That network should have these properties:
1. Each citizen should only be able to vote once, using an electronic certificate issued by the government, like a biometric passport or a simple string of numbers printed in a piece of paper.
2. Votes should be anonymous. It should be impossible for anybody to know the vote of a particular person.
3. The entire process should be verifiable by a third party.

Is this theoretically possible? Would it be plausible?

[Yakk]

Lets look at what traditional (non-US) style paper voting looks like, and see what we have to duplicate.

A count is made of how many voters cast votes.

You verify your ID.

You are given a ballot with a list of choices on it, a private place to mark it, and a marking device.

At this time, you are watched from a distance. Contact with members of the public/communication is limited (note: cell phones with cameras change this).

You can check your piece of paper before handing it in.

You hand your piece of paper, folded, into a slot that is a box.

These boxes are watched by scrutineers of each candidate from this point on, and you leave.

The polls close. The scrutineers and the poll workers take out each box in turn, open it. and look at each ballot.

Scrutineers can object to ballots as being ambiguous, or agree what a ballot says. The count is maintained publicly for each choice, and the ambiguous ballots.

Afterwards, the ambiguous ballots are gone over in more detail.

Each polling station reports the ballot counts for each candidate. The sum of such information is sufficient to determine the election, with a possible ambiguous ballot count for margin of error.

---

Under the above system, your ability to put your ballot in a box, plus trust in the candidate-interested scrutineers, lets you verify your vote is counted.

Barring using a camera phone, it is difficult to prove to someone else who you voted for. (you could maybe do it once or twice, but large numbers of people doing it would look really strange and obvious in the polling station).

The above is very, very tricky to pull off with an e-voting system.

On top of this, each component is pretty verifiable and understandable by each participant. I am a relative computer expert, and I couldn't verify what exact code is running on my home PC, so even with all the time in the world I couldn't guarantee that my submitting a vote through any application would be secure. A typical person wouldn't even be able to understand proof that an e-voting system was insecure, let alone check themselves!

[WarDaft]

What about with a disk-bootable OS? That could (could, not currently is AFAIK) be enforced at a hardware level to be utterly secure from malicious software.

When someone is born, becomes a citizen, or is a citizen when the system goes live, the government presses a DVD with a unique encryption key for that person.
A central server is set up, under constant guard, which contains pairs to all of these keys. This is the counting server.
To vote, the person boots with the DVD, uses it to encrypt their vote with their key (this would probably be transparent) and send in their vote. The server verifies the vote was cast with the right key, tallies it, and returns a confirmation of their vote using the same key. The person now knows that their vote has been counted.

This could be done with quite non-invasive hardware standards (though they could also be utterly obnoxious) and requires far less trust in others than a manual voting process. You are trusting that your computer was manufactured properly - which we all already are - that the government is not plotting against you - which we all already are - and that those guarding the server, best choice being the military, are not out to get us - which we all already are. Futhermore, if those trusts are misplaced, all three are non-critical as to this voting concept, as what they are trust in does not require this particular act of trust to move with significant harm against anyone holding said trust, so there is no harm in trusting them with said votes.


A suitable encryption system might be based on the DLP with a secret moduli. For example, choose some prime P₀: 2¹⁰²³ < P₀ < 2²⁰²⁴, and a second prime P₁: 2¹⁰²²< P₁ < P₀. The server then sends exponents e₁ through e_n, between 2⁵¹⁰ and 2⁵¹¹ as the votes to be cast as plaintext, as well as the values P_{1}^{P_{1}^{P_{1}^{ne_{n}}}} mod P_{0} to verify that they are the correct exponents. The voter calculates P_{1}^{P_{1}^{ie_{i}}} mod P_{0} as their vote for the ith candidate, and the server returns P_{1}^{ie_{i}} mod P_{0} to confirm their vote. P₀ and P₁ are not transmitted, and should be safe to maintain for future voting.

The best part is that since there are only a minuscule selection of already known plaintexts to decrypt, the fastest way to decrypt is to in fact encrypt each. As such, decryption would be n³ in size of the base, despite no traditional decryption method being given, or possibly even existing outside of quantum computers. Furthermore, it should be quite resistant to attacks by quantum computers, because a traditional decryption method would likely only be efficient if actually performed on a QC itself.

But that's just a theory.

[Bhelliom]

I like the idea, plus thumbdrives or dvds are way cheaper than poll workers.

I suppose you could have the system transmit over a secure VPN too.

But what about DDOS attacks on voting day?

[WarDaft]

I like the idea, plus thumbdrives or dvds are way cheaper than poll workers.

I suppose you could have the system transmit over a secure VPN too.

But what about DDOS attacks on voting day?

What if someone sets the polling station on fire?

Actually, everyone rushing to vote on the last day would practically *be* a DDOS, so it would have to be built to withstand zillions of connections anyway.

[sonickrahnic]

It's a great idea but in my opinion, it would likely boost voter apathy. It seems many people go out and vote because they have to leave their homes and interact with other people who are doing the same thing. If we didn't have to leave our homes to vote, who would vote? The die-hards, the politics junkies, the ones who actually care. But I don't think anyone else would vote because it is taking something that is currently construed as a duty and making it seem voluntary. Yes, it is your choice whether to vote or not, but the more convenient the process is, I think the less the turnout would be. Just an opinion based on observations.

[Yakk]

Sonic, not everyone lives in a one-party province.

[Goplat]

It's a great idea but in my opinion, it would likely boost voter apathy. It seems many people go out and vote because they have to leave their homes and interact with other people who are doing the same thing. If we didn't have to leave our homes to vote, who would vote? The die-hards, the politics junkies, the ones who actually care.

You mean, the few people who are actually paying attention, rather than the masses of sheep who don't know jack and just vote for whoever spends more on the campaign? So politicians wouldn't be able to constantly screw the public over and yet continually get re-elected by the 95% of them who are utterly ignorant? Sounds good to me.

[userxp]

Keep in mind that the goal is to make electoral fraud impossible for the government or any other powerful organization. This means that every part of the chain has to be able to be monitored by the general public (based on the principle that there will always be thousands of cryptanalysts willing to catch the government red-handed). Vulnerable points would be:

• Hardware manufacturers could include a malicious chip to manipulate computers from a distance and alter the hardware results, but I find it improbable (sooner or later somebody would find them, and even if it's 50 years later it would still be a scandal).
• Computers might include malicious software, either directly in the OS or malware added later. This is the most likely weak spot. Open-source OSs and a better software security system* would mitigate it.
• The government might be able to create a few thousand certificates and vote for themselves.

Other than that, the system should be cryptographically impossible to manipulate.

It's a great idea but in my opinion, it would likely boost voter apathy. It seems many people go out and vote because they have to leave their homes and interact with other people who are doing the same thing. If we didn't have to leave our homes to vote, who would vote? The die-hards, the politics junkies, the ones who actually care. But I don't think anyone else would vote because it is taking something that is currently construed as a duty and making it seem voluntary. Yes, it is your choice whether to vote or not, but the more convenient the process is, I think the less the turnout would be. Just an opinion based on observations.

Maybe, but on the other hand it would make voting really fast and cheap, so it might make democracies more democratic.

It's a great idea but in my opinion, it would likely boost voter apathy. It seems many people go out and vote because they have to leave their homes and interact with other people who are doing the same thing. If we didn't have to leave our homes to vote, who would vote? The die-hards, the politics junkies, the ones who actually care.

You mean, the few people who are actually paying attention, rather than the masses of sheep who don't know jack and just vote for whoever spends more on the campaign? So politicians wouldn't be able to constantly screw the public over and yet continually get re-elected by the 95% of them who are utterly ignorant? Sounds good to me.

You could start another thread abut this on the Serious Business forum, but we are assuming democracy here. Democracy may or may not be the best system, but making people not want to vote is certainly not an improvement.

-------
*Small unrelated rant: the security of OSs hasn't practically changed in 30 years. In any user-oriented OS, programs should not be allowed to access the system. Programs should run in their own sandbox, minding their own business, and any outside interaction (accessing the file system, playing audio, showing things on the screen, accessing the internet...) should be handled by the OS, which would deny anything that has not been previously approved as safe. Don't tell me this is impossible when we have Flash player, we have browsers with Javascript, and most importantly we have VMwares, which all do basically the same thing. Why the fuck do I have to give a program full access to my disk just because it wants to "install itself" or "save a file"? Antiviruses are just a workaround to a bug that should be fixed since Windows NT.

[Bhelliom]

Actually, everyone rushing to vote on the last day would practically *be* a DDOS, so it would have to be built to withstand zillions of connections anyway.

Not really. I can totally see a system built to handle all of America's citizens voting once around voting day. What I cannot see is a system that would handle all of Russia, China, and whatever Botnets spamming the voting system repeatedly around election day.

[Squid Tamer]

Here's my system that I imagined:

The government generates one-ballot's-worth of random data (ideally over 100 bytes or so) for every person in the county. The government keeps the keys, makes sure that there aren't any repeats (extremely unlikely anyway), and sends a copy randomly (the government doesn't record which key they send to whom) to every registered voter through any method they desire. When a voter wants to send a vote he/his computer will use the key as a one-time-pad, and he will send the encrypted ballot to the government using whatever means the gov. desires. The encrypted ballot is checked against every key in the huge list, until one can successfully decrypt all 100 or so bytes. The vote is counted, and the successful is deleted from the database.

The chances of one key decrypts more than one ballot, or vice versa are actually much lower than I first thought. 100 bytes equals 6.6*10^240 possible combinations. Even still, the ballots should include a checksum, so that the chances of a false-positive decryption become pretty much zero. The checksum would be in the ciphertext like the rest of the ballot, so you couldn't use that to crack the one-time-pad.

[Zamfir]

Squid, how do you prevent people from selling their votes? That's the big danger in e-voting: that people will vote according to the wishes of the person who looks over their shoulder and gives them cash.

[Stacy S.]

Squid, how do you prevent people from selling their votes? That's the big danger in e-voting: that people will vote according to the wishes of the person who looks over their shoulder and gives them cash.

You're asking that like it is a bad thing. If someone wants to sell their vote, why not let them.

Just like our congressmen!

[Zamfir]

Squid, how do you prevent people from selling their votes? That's the big danger in e-voting: that people will vote according to the wishes of the person who looks over their shoulder and gives them cash.

You're asking that like it is a bad thing. If someone wants to sell their vote, why not let them.

Just like our congressmen!

The relation between voting and money is a lot more complicated than buying. One main principle is simply to support politicians who would have voted your way anyway. They sound much more convincing than liars.

[Turtlewing]

It seems to me the problem boil down to this:
1. You need to know who cast every vote in order to ensure that no one voted twice.
2. If you know who cast each vote it's not seceret ballot anymore and therefore voters can't be assured of their saftey if they vote "wrong".

I really don't see any way around that contradiction. It seems like any system would either be able to track who voted for whom, be vulnerable to multiple votes per citizen, or otherwise insecure (rely on an obscure algoyrthem remaining seceret, rely on promises that only some of the data provided the server is actually stored, vulerable to man in the middle attacks, etc.)

[Turtlewing]

Here's my system that I imagined:

The government generates one-ballot's-worth of random data (ideally over 100 bytes or so) for every person in the county. The government keeps the keys, makes sure that there aren't any repeats (extremely unlikely anyway), and sends a copy randomly (the government doesn't record which key they send to whom) to every registered voter through any method they desire. When a voter wants to send a vote he/his computer will use the key as a one-time-pad, and he will send the encrypted ballot to the government using whatever means the gov. desires. The encrypted ballot is checked against every key in the huge list, until one can successfully decrypt all 100 or so bytes. The vote is counted, and the successful is deleted from the database.

The chances of one key decrypts more than one ballot, or vice versa are actually much lower than I first thought. 100 bytes equals 6.6*10^240 possible combinations. Even still, the ballots should include a checksum, so that the chances of a false-positive decryption become pretty much zero. The checksum would be in the ciphertext like the rest of the ballot, so you couldn't use that to crack the one-time-pad.

This system is insecure because there is nothing the citizens can do to verify that the government isn't keeping track of who they send each key to.

[Goplat]

It seems to me the problem boil down to this:
1. You need to know who cast every vote in order to ensure that no one voted twice.
2. If you know who cast each vote it's not seceret ballot anymore and therefore voters can't be assured of their saftey if they vote "wrong".

I really don't see any way around that contradiction. It seems like any system would either be able to track who voted for whom, be vulnerable to multiple votes per citizen, or otherwise insecure (rely on an obscure algoyrthem remaining seceret, rely on promises that only some of the data provided the server is actually stored, vulerable to man in the middle attacks, etc.)

I believe there might be a way around this, using RSA "blind signatures":

To start with, the government generates an RSA key pair (exponents e, d and modulus n), and publicizes the numbers e and n. They keep d a secret: anyone who knows d can sabotage the election, but this is detectable. They maintain and publish two lists: a list of people who've voted, and a list of valid votes.

In the first phase of the election (the "signing" phase):

• Each voter constructs a ballot M and a random number R.
• The voter computes R^eM, and gives this to the government (non-anonymously)
• The government makes sure that this person's name isn't in the first list. If not, they exponentiate R^eM by d to get RM^d, give that back to the voter, and add the person's name to the list.
• The voter multiplies this by R^-1 to get M^d.

In the second phase of the election (the "casting" phase):

• The voter gives the M^d to the government (anonymously - best if it's done at a random time too)
• The government exponentiates this by e to get M, checks that it's valid and not a duplicate, and if so, adds M^d to the second list.

You can see that your own vote was counted correctly: just search for your M^d in the second list. You can also see that there are no phony votes: the government could of course make up votes, since they know d, but this would show up as the second list having more entries than the first. And yet, nobody can link your name with your vote. Not even the government can, since they didn't know your number R.

EDIT: signing ballots and casting ballots divided into two non-overlapping phases in time, to maximize anonymity: any person could have cast any vote now.

[userxp]

Here's my system that I imagined:

The government generates one-ballot's-worth of random data (ideally over 100 bytes or so) for every person in the county. The government keeps the keys, makes sure that there aren't any repeats (extremely unlikely anyway), and sends a copy randomly (the government doesn't record which key they send to whom) to every registered voter through any method they desire. When a voter wants to send a vote he/his computer will use the key as a one-time-pad, and he will send the encrypted ballot to the government using whatever means the gov. desires. The encrypted ballot is checked against every key in the huge list, until one can successfully decrypt all 100 or so bytes. The vote is counted, and the successful is deleted from the database.

The chances of one key decrypts more than one ballot, or vice versa are actually much lower than I first thought. 100 bytes equals 6.6*10^240 possible combinations. Even still, the ballots should include a checksum, so that the chances of a false-positive decryption become pretty much zero. The checksum would be in the ciphertext like the rest of the ballot, so you couldn't use that to crack the one-time-pad.

This system is insecure because there is nothing the citizens can do to verify that the government isn't keeping track of who they send each key to.

There is always the analog way: you go to their office, they hand you an opaque box filled with unlabeled CD-ROMs (or memory cards or envelopes with papers) each containing one key, and you pick one at random.

[Zamfir]

Still, this only solves the problem of voters who do not want others to see what they vote.

It's the inverse problem that's hard to solve: what to do with voters who do want others to see what they vote, so they can sell their vote.

[HungryHobo]

It's the inverse problem that's hard to solve: what to do with voters who do want others to see what they vote, so they can sell their vote.

this is a problem which isn't any better in the current system.

Last time I voted I could have snapped a few pictures with my camera phone and nobody would have seen since I was inside the booth voting anonymously.

In theory you could solve this by stripping everyone naked before allowing them into the booth but since they don't do that it's not a solved problem with paper ballots.

The only possible abuse that jumps out at me in Goplats system given that it's as good as whatever method you use to identify the voters(much like with paper ballots) is that there will be a certain percent of voters who go through the first part but then for one reason or another do not complete the transaction leaving more people identified than votes counted.

this could be abused by the government inserting fake votes for the non-voters at the last moments in the election.

you could test for this by putting off voting until the last seconds but then it's hard to prove that you didn't just try to submit your vote twice.
It would also require a detailed log of when every vote was received to be publicly available to watch for such patterns and make sure the incumbent government isn't getting most of it's votes in the last 0.25 seconds of the election .

[Yakk]

I can fake a picture of a ballot that I later ruin and replace. The cell phone picture is not a strong proof -- and it leaves a reasonably thick paper trail.

You'd need both someone watching that you didn't replace your ballot, and such a photo proof. This means that you'd need to corrupt all of your ballot-box watchers to keep an eye out for people changing their vote (and remembering all of them), plus a system to clear illicit pictures of votes.

Under goplat's system? Just get people to hand over their voting code to you. At this point, you know how they voted, guaranteed.

Naturally, absentee ballots under current systems remain abusable in much the same way.

[nitePhyyre]

Copy what banks do for online-banking. If it is good enough for ~99% of the entire world economy, it is probably good enough for our elections.

[HungryHobo]

Copy what banks do for online-banking. If it is good enough for ~99% of the entire world economy, it is probably good enough for our elections.

And in a landslide the botnet party was voted in everywhere!

Online banks tend to be less than fantastic when it comes to security and they're utterly non-anonymous.

[Xeio]

It's a great idea but in my opinion, it would likely boost voter apathy. It seems many people go out and vote because they have to leave their homes and interact with other people who are doing the same thing. If we didn't have to leave our homes to vote, who would vote? The die-hards, the politics junkies, the ones who actually care. But I don't think anyone else would vote because it is taking something that is currently construed as a duty and making it seem voluntary. Yes, it is your choice whether to vote or not, but the more convenient the process is, I think the less the turnout would be. Just an opinion based on observations.

Wait... making voting easier/faster/less inconvenient would LOWER voting rates? Really? What "observations" are you basing this on?

I think it's already pretty evident that the "die hards" and "political junkies" are already more likely to vote in the current system, I really don't see how making it easier for everyone else will make that even worse.

[HungryHobo]

Wait... making voting easier/faster/less inconvenient would LOWER voting rates? Really? What "observations" are you basing this on?

I think this was mentioned in Freakonomics.
if you take something like voting which is considered a social duty people who would otherwise turn up and vote (and to be seen voting) out of a sense of duty would not bother when you make it too easy.

[nitePhyyre]

Copy what banks do for online-banking. If it is good enough for ~99% of the entire world economy, it is probably good enough for our elections.

And in a landslide the botnet party was voted in everywhere!

Online banks tend to be less than fantastic when it comes to security and they're utterly non-anonymous.

When is the last time you have heard of a bot net stealing 400 billion dollars? Because that would be the banking equivalent.
Your in-person voting is non-anonymous, who you are voting for is anonymous, the fact that you are voting is not. Do you have any idea how easy it is to not store data?
One thing I forgot to mention in my last post, the system should only run on a open source stack.

[Yakk]

Do you know how hard it is to distinguish between someone storing data and someone not storing data?

With a pen-and-paper ballot system, I don't have to trust some central agency that my votes will be counted. I just have to trust that my individual polling spot isn't completely corrupted.

In order to determine what I voted for, you'd have to install a hidden camera in the voting spot.

In order for me to prove I voted for someone, you'd need to corrupt the voting spot (so you can tell if I asked for a new ballot after I "screwed up", then get me to take a picture of it.

You'll note the commonality -- you need to corrupt the local voting location.

Each local voting location serves about 1000-10000 people. In an election of many-millions, that is a lot of corruption. Plus each candidate gets to appoint scrutineers for each voting spot -- and they rarely all want to corrupt the election in the same way.

Once the numbers are produced at the local voting spot, further corruption is very difficult -- each local location has many people who know the voting totals (as they are a series of numbers), and the total election results is a simple sum over the voting spots.

Meanwhile, under a central computer voting system like the banks, all it takes is one small amount of corruption and the entire election results can be changed.

Ie, for the same amount of effort, you can steal 1000-odd votes in a pen-and-paper election, or 1 million votes under a centralized "electronic banking like" system.

Finally, note that electronic banking is kept honest by the fact that it keeps track of everything it does. In the event of error or corruption, that tracking lets you figure out who/what corrupted the system. You, as a consumer, log into the bank and see your balance. If you log in the next day and the total goes down 1000$, you'll probably notice. And there is a non-trivial percentage of the population that keep their own balance books done manually in a spreadsheet.

[nitePhyyre]

Do you know how hard it is to distinguish between someone storing data and someone not storing data?
With a pen-and-paper ballot system, I don't have to trust some central agency that my votes will be counted. I just have to trust that my individual polling spot isn't completely corrupted.
In order to determine what I voted for, you'd have to install a hidden camera in the voting spot.
In order for me to prove I voted for someone, you'd need to corrupt the voting spot (so you can tell if I asked for a new ballot after I "screwed up", then get me to take a picture of it.
You'll note the commonality -- you need to corrupt the local voting location.
Each local voting location serves about 1000-10000 people. In an election of many-millions, that is a lot of corruption. Plus each candidate gets to appoint scrutineers for each voting spot -- and they rarely all want to corrupt the election in the same way.
Once the numbers are produced at the local voting spot, further corruption is very difficult -- each local location has many people who know the voting totals (as they are a series of numbers), and the total election results is a simple sum over the voting spots.

Meanwhile, under a central computer voting system like the banks, all it takes is one small amount of corruption and the entire election results can be changed.
Ie, for the same amount of effort, you can steal 1000-odd votes in a pen-and-paper election, or 1 million votes under a centralized "electronic banking like" system

"same amount of effort"? That is absurd.
Have you ever worked as a scrutineer? One of the people who runs the polling station? I've done it at at moderately large polling station in Montreal for 4 elections. There was never a representative there to watch the count. If I was at a small station out in the boonies, and I knew my partner had the same afiliations as me, the ease with which I could decide the results of that station is staggering. Throw out just enough, add just enough from the no-shows...done. In the 1995 Quebec referendum, with no planning, an ad hoc group of poll workers, threw out enough "no" votes to swing the election by nearly 10%, keeping Quebec in Canada by a mere 1% of the vote.

So compare that difficulty to what is essentially sneaking an obvious backdoor into the Linux kernel. Or hacking into a bank network to steal hundreds of billions of dollars.

[Turtlewing]

It seems to me the problem boil down to this:
1. You need to know who cast every vote in order to ensure that no one voted twice.
2. If you know who cast each vote it's not seceret ballot anymore and therefore voters can't be assured of their saftey if they vote "wrong".

I really don't see any way around that contradiction. It seems like any system would either be able to track who voted for whom, be vulnerable to multiple votes per citizen, or otherwise insecure (rely on an obscure algoyrthem remaining seceret, rely on promises that only some of the data provided the server is actually stored, vulerable to man in the middle attacks, etc.)

I believe there might be a way around this, using RSA "blind signatures":

To start with, the government generates an RSA key pair (exponents e, d and modulus n), and publicizes the numbers e and n. They keep d a secret: anyone who knows d can sabotage the election, but this is detectable. They maintain and publish two lists: a list of people who've voted, and a list of valid votes.

In the first phase of the election (the "signing" phase):

• Each voter constructs a ballot M and a random number R.
• The voter computes R^eM, and gives this to the government (non-anonymously)
• The government makes sure that this person's name isn't in the first list. If not, they exponentiate R^eM by d to get RM^d, give that back to the voter, and add the person's name to the list.
• The voter multiplies this by R^-1 to get M^d.

In the second phase of the election (the "casting" phase):

• The voter gives the M^d to the government (anonymously - best if it's done at a random time too)
• The government exponentiates this by e to get M, checks that it's valid and not a duplicate, and if so, adds M^d to the second list.

You can see that your own vote was counted correctly: just search for your M^d in the second list. You can also see that there are no phony votes: the government could of course make up votes, since they know d, but this would show up as the second list having more entries than the first. And yet, nobody can link your name with your vote. Not even the government can, since they didn't know your number R.

EDIT: signing ballots and casting ballots divided into two non-overlapping phases in time, to maximize anonymity: any person could have cast any vote now.

Correct me if I'm wrong but it seems like your system requires that no two people submit identical ballots (since the system discards duplicate ballots in the counting phase). Thus there would have to be something unique to every ballot in order to keep from discarding votes from those who happen to agree on all canidates.

How do you purpose to solve that without introducing weakness into the system? The ballot could include a "type a random string here" field to prevent collision, but I'd suspect people who vote for all the same canidates to favor similar "random" character strings as well so you've at best reduced the chances of a collision not eliminated it.

[HungryHobo]

it could generate long enough random strings to make the chance of collision between 2 votes in any election unlikely to the point of being on a par with getting hit with multiple meteorites on the same day at the same time.

voters aren't going to be doing the math by hand after all.

[Turtlewing]

it could generate long enough random strings to make the chance of collision between 2 votes in any election unlikely to the point of being on a par with getting hit with multiple meteorites on the same day at the same time.

voters aren't going to be doing the math by hand after all.

Assuming that the client program generates the random string (since if the server did it you'd be traceable) my next question is: how exactely does the voter verify that the random string is actually random (as opposed to being say, derived from their name and who they voted for)?

I suppose you could rely on code reviews handled by a board made up of members from both major political parties, but I don't think the political parties have any reason to protect anonimity of voters, so that's not relyable.

Also you need a sufficiently good random number generator that can run on a citizen't home computer. Though I'll assume that problem is easily solvable, since I expect even nromal psudo-random numbers are probably close enough so long as the string generated is sufficiently long and the seed value is something difficult to accidently duplicate like the OS time.

[nitePhyyre]

Turtlewing, Open Source.

[Thesh]

How about this:

Each polling place has individual polling machines, and a local server that stores individual results. When you vote, a unique 8192 bit asymmetric key is generated, and then used to encrypt your voting results. It then prints out two tickets, one for the local polling place, and one for the voter. These tickets contain your votes in plain text, and then an SHA512 hash of the public key + encrypted value, and possibly a unique identifier (e.g. polling place id, voting machine id, auto-increment id -using the hash isn't 100% reliable, although it is close). These are stored on the local voting machines, the local server, and are sent to a central server as soon as possible. You can then log in online, enter you ticket ID and hash to verify your vote was counted accurately.

Now you have verifiable paper, each voter can make sure their vote got counted, and each polling place can be audited using the tickets. You can easily extend this to a program you can run on your home machine, but I'm not sure you can make it truly anonymous if you do that (to the point where you, the voter know it's anonymous). Your ticket can be something you print out, and signed with the servers private key. Also, you can never fully protect against DDOS attacks if you do this.

Also, voting from your home computer would make you susceptible to viruses and man in the middle attacks.

[sonickrahnic]

Wait... making voting easier/faster/less inconvenient would LOWER voting rates? Really? What "observations" are you basing this on?

I think this was mentioned in Freakonomics.
if you take something like voting which is considered a social duty people who would otherwise turn up and vote (and to be seen voting) out of a sense of duty would not bother when you make it too easy.

It all comes down to reverse psychology. If you make something like voting seem like it is so easy a child could do it, people feel that because it is so easy everyone else will be doing it anyway so they can be excused and it will not make much difference.. But if it is made a little more difficult, like being required to leave the house and do some actual mental work, people are going to feel the opposite way, as if not enough people are going to want to do it so they should fulfill their social duty. I am not saying this applies to absolutely everyone in any democracy, but in places like Canada, (not specific provinces, but the country as a whole, yakk) where the last federal election had the worst turnout in almost 40 years I think that making the system too voluntary would be the undoing of the whole system. I cannot tell you how many people I talked to last time around who said 'my vote doesn't count' or 'its just one vote' when I asked if they voted or were planning to do so.

EDITed to clarify what was previously written. I looked at what I wrote and realized it was kind of fuzzy so I had to add some clarity. Once again, I shouldn't post after drinking.