1. Forum
  2. Usenet
  3. LINUX.DEBIAN.VOTE

  • Secure, Secret, and Publicly Verifiable Voting

    From Barak A. Pearlmutter@21:1/5 to All on Sun Mar 6 12:50:01 2022
    In the discussion of the "voting secrecy" resolution, people seem to
    have assumed that it is impossible for a voting system to be
    simultaneously secure, tamper-proof, have secret ballots, and also be end-to-end publicly verifiable meaning transparent verification of the
    final tally, with voters able to verify that their own vote was
    properly counted. (Our current system does not have secret ballots,
    but does embody the other properties.)

    As it turns out, magic cryptographic fairy dust allows *all* these
    properties to coexist. This is not to say that we *should* have secret
    ballots. Just that we *could*, without sacrificing transparency etc.

    Some references:

    * https://en.wikipedia.org/wiki/End-to-end_auditable_voting_systems

    * D. Chaum, "Secret-ballot receipts: True voter-verifiable elections,"
    in IEEE Security & Privacy, vol. 2, no. 1, pp. 38-47, Jan.-Feb. 2004,
    doi: 10.1109/MSECP.2004.1264852.

    * https://www.newyorker.com/news/the-future-of-democracy/can-our-ballots-be-both-secret-and-secure

    * Josh Daniel Cohen Benaloh. 1987. Verifiable secret-ballot elections.
    Ph.D. Dissertation. Yale University, USA. Order Number: AAI8809191.
    URL https://www.microsoft.com/en-us/research/publication/verifiable-secret-ballot-elections/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adrian Bunk@21:1/5 to Barak A. Pearlmutter on Sun Mar 6 19:20:01 2022
    On Sun, Mar 06, 2022 at 11:31:22AM +0000, Barak A. Pearlmutter wrote:
    In the discussion of the "voting secrecy" resolution, people seem to
    have assumed that it is impossible for a voting system to be
    simultaneously secure, tamper-proof, have secret ballots, and also be end-to-end publicly verifiable meaning transparent verification of the
    final tally, with voters able to verify that their own vote was
    properly counted. (Our current system does not have secret ballots,
    but does embody the other properties.)

    As it turns out, magic cryptographic fairy dust allows *all* these
    properties to coexist. This is not to say that we *should* have secret ballots. Just that we *could*, without sacrificing transparency etc.
    ...

    Isn't this how DPL elections are already done for 20 years?

    https://www.debian.org/vote/2002/voters.txt https://www.debian.org/vote/2002/tally.txt

    https://www.debian.org/vote/2021/vote_001_voters.txt https://www.debian.org/vote/2021/vote_001_tally.txt

    cu
    Adrian

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Russ Allbery@21:1/5 to Barak A. Pearlmutter on Sun Mar 6 20:30:02 2022
    "Barak A. Pearlmutter" <barak@pearlmutter.net> writes:

    In the discussion of the "voting secrecy" resolution, people seem to
    have assumed that it is impossible for a voting system to be
    simultaneously secure, tamper-proof, have secret ballots, and also be end-to-end publicly verifiable meaning transparent verification of the
    final tally, with voters able to verify that their own vote was properly counted. (Our current system does not have secret ballots, but does
    embody the other properties.)

    As it turns out, magic cryptographic fairy dust allows *all* these
    properties to coexist. This is not to say that we *should* have secret ballots. Just that we *could*, without sacrificing transparency etc.

    This is what the discussion of Belenios is about. It's a voting system
    that makes better use of cryptographic fairy dust than what we're
    currently using.

    --
    Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bill Allombert@21:1/5 to Russ Allbery on Wed Mar 9 20:40:01 2022
    On Sun, Mar 06, 2022 at 11:26:28AM -0800, Russ Allbery wrote:
    "Barak A. Pearlmutter" <barak@pearlmutter.net> writes:

    In the discussion of the "voting secrecy" resolution, people seem to
    have assumed that it is impossible for a voting system to be
    simultaneously secure, tamper-proof, have secret ballots, and also be end-to-end publicly verifiable meaning transparent verification of the final tally, with voters able to verify that their own vote was properly counted. (Our current system does not have secret ballots, but does
    embody the other properties.)

    As it turns out, magic cryptographic fairy dust allows *all* these properties to coexist. This is not to say that we *should* have secret ballots. Just that we *could*, without sacrificing transparency etc.

    This is what the discussion of Belenios is about. It's a voting system
    that makes better use of cryptographic fairy dust than what we're
    currently using.

    As I understand, Belenios does not make much of a difference compared to
    the system used for DPL election.
    It does not provide plausible deniability.
    It mostly reduce the trust needed to be put on the secretary, but this
    is not why this GR was proposed.

    I still consider this GR to be premature.

    Cheers,
    --
    Bill. <ballombe@debian.org>

    Imagine a large red swirl here.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Kurt Roeckx@21:1/5 to Bill Allombert on Thu Mar 10 00:10:02 2022
    On Wed, Mar 09, 2022 at 07:33:05PM +0000, Bill Allombert wrote:
    On Sun, Mar 06, 2022 at 11:26:28AM -0800, Russ Allbery wrote:
    "Barak A. Pearlmutter" <barak@pearlmutter.net> writes:

    In the discussion of the "voting secrecy" resolution, people seem to
    have assumed that it is impossible for a voting system to be simultaneously secure, tamper-proof, have secret ballots, and also be end-to-end publicly verifiable meaning transparent verification of the final tally, with voters able to verify that their own vote was properly counted. (Our current system does not have secret ballots, but does embody the other properties.)

    As it turns out, magic cryptographic fairy dust allows *all* these properties to coexist. This is not to say that we *should* have secret ballots. Just that we *could*, without sacrificing transparency etc.

    This is what the discussion of Belenios is about. It's a voting system that makes better use of cryptographic fairy dust than what we're
    currently using.

    As I understand, Belenios does not make much of a difference compared to
    the system used for DPL election.
    It does not provide plausible deniability.
    It mostly reduce the trust needed to be put on the secretary, but this
    is not why this GR was proposed.

    It's my understanding that Belenios provides universal verifiability
    and eligibility verifiability, which is something we don't have now,
    and instead have to trust the secretary.

    Reducing the need for trusting the secretary is at least one of the
    reasons why I would like to move to a different voting system. The
    other reason is how difficult it is for people to use the current
    system.

    This GR is not about changing the voting system, but at least one
    of the options is about making it possible to do so.


    Kurt

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)