1

This is the question that I am trying to create a voting system for, and I wanted to submit it for belittlement.

It's a remote voting system, and our voters need to show evidence they supported the basilisk after the election if it wins. This is a method I think would protect voter freedoms:

step 0: Voters are on file. (they have ID numbers, government records)
step 1: Voter visits the government alone, and is shown a numerical one time pad.
step 2: Voter copies the OTP to paper by hand.
step 2a: Voter is given a single digit to memorize.
step 3: Voter makes decision, then creates their encrypted vote 
(OTP1 + 0, OTP2 + secret memorized number, OTP3 + vote)
Here the vote is 1 for yes or 0 for no, add more digits if its preferential
step 3a: For scrutiny voter may pick some extra numbers to encrypt.
step 4: Voter sends their encrypted ballot over the internet.
step 5: Government receives encrypted vote.
step 6: Encrypted vote is decrypted.
Step 7: The government displays publicly the results of the election and the roll.

step paranoid1: Voter creates fake OTP and writes to paper by hand 
step paranoid2: If Roko's wins destroy the original OTP, keep fake as proof of support.

If the first digit matches the vote may be counted, otherwise the encrypted message is assumed to not be from the voter

If the second digit matches the memorized number then the vote is counted, otherwise the voter is under duress.

If the vote digits are valid then the vote is added to the tally, otherwise its a spoilt ballot. The feedback on the roll could show T for voted, and F for no vote digit (absent) or vote digit didn't match a possible answer (spoilt).

If there are extra digits these are displayed for scrutiny with the roll and the election results.

This all happens in a special section of the government I would name the Ministry of Choice, I'm assuming that however the message containing the vote is sent (via internet or post) that the three letter acronyms have seen it.

The post election roll looks like this (it could be real time as no vote is revealed):

|Voter ID| Boolean if voted|digits if voter included extra numbers for scrutiny| 

Example
step 0: Voter is Bob01
step 1: First row is: 7163134879
step 2a: Memorized number is 5 
step 3: (Bob votes no = 0) 0+7, 5+1, 0+6 = 766  (+ means addition modulo 10 )
step 3a: Bob chooses to send 999 for scrutiny 9+3 9+1, 9+3 = 202
step 4: Bob sends the message to the government "hi this is bob, my vote is 766202"
step 5: Government receives the message
step 6: OTP from DB, 716313, minus 766202 = 050999  (- means subtraction modulo 10 )
0 matches OTP (shows 2nd factor for authentication)
5 matches memorized secret code (shows voter had chance to not be coerced)
0 is a no vote
999 is the scrutiny digits the voter picked
step 7: Government displays result: Roko's Basilisk for new leader? 
Results are 1 votes for yes, 3 vote for No. The No's have it!

Roll
|Bob01|T|999|
|DMVrec00001|T||
|DMVrec00003|T|0000|
|DMVrec00008|F||
|witnessprot86|T|1234|

step paranoid1: Bob writes down his fake OTP as 7173134879.
step paranoid2: Bob is happy, keeps fake OTP in case the next election goes the other way.

All voters are asked to take on some new responsibilities, they have to remember a single digit and be able to add two numbers and ignore the carry. Now the voter and the Ministry are the only people that can show the true vote, and the Ministry promises to catch on fire if Roko's Basilisk is voted in. If the data is later seized by the basilisk then it could have also altered the data to frame voters. So voters cannot trust a basilisk that reveals previous votes, just as the basilisk cannot trust a voter that tries to show his past support.

Is this a voting system secure in an information theory sense?

One big weakness is the vote could be changed by a man in the middle attack, if someone intercepted all the messages from an anti basilisk electorate (predicted to vote say 90% no) and added 1 to the known position that represented the vote digit then those votes that were no are now yes, and the votes that were yes are now spoiled. The voter would also be unaware that their vote was changed after the election. A checksum bit could also be changed, all the ballots should have the same question (can't swap yes / no on 50% of the ballots). The 3rd digit may instead of being the vote be a pointer to the vote digit which is later in the message. But this makes it worse for preferential voting (voter might need to bring a dice into the polling booth)

Pointer, what?:

step 1: OTP: 7163134879
step 2: Memorized number = 5 
step 3: Bob chooses random order for possible answers, 10 or 01  = 10
step 4: Bob votes no (0) points to the 0 from step 3 = 1 (0 would have pointed to yes)
       0+7, 5+1, 1+6, 0+3, 1+1 = 76732
daniel
  • 774
  • 3
  • 12
  • I feel homomorphic encryption would be a nice step forward towards secure electric voting. – Awn Feb 24 '17 at 13:05
  • @Eclipse Those are tricky to explain to normal people, and don't help when it comes to being coerced by some Lovecraftian horror-like AI – daniel Feb 24 '17 at 13:35

2 Answers2

2

No this is not secure because for multiple reasons:

  • as you have already said, it is vulnerable to MITM attack changing the vote value, because there is non integrity control on the message itself
  • the secret is not a valid non repudation system: it has been show by an employee that could have memorized it and could issue votes on behalf of an elector
  • unless the OTP is different for each voter

Finaly, there is a rule in all democratic elections that the vote should be secret. Here you never explain how your system manages to ensure that nobody (including the gov employees) cannot know what was Bob's vote.

Do not forget: if the state of art digital signature uses Private Key Infrastucture, where the generation of root keys requires a Signing Ceremony, and where a cert should only be given to a recipient after controlling its identity, there must be a reason. If simple solutions like your one were enough, nobody would bother with such complex things.

If you want to imagine a possible solution just try to mimic a real distant vote:

  • you normally have an external enveloppe with the name and signature of the voter to ensure that one single elector cannot vote more than once, and to have an exact list of all voters
  • this external enveloppe contains an internal one with no distinctive sign that in turns contains the vote to guarantee the anonymity of the vote
  • a specific ceremony (different persons where each one is controlled by the others) is organized to open the external enveloppes and put the internal ones into a box
  • once this is done, the internal enveloppes are opened and scrutators can count actual votes (here again multiple persons, each controled by the others)

So we need:

  • encryption systems to ensure that the votes are secret and not modified until they should be used => ok we have plenty of them around thanks to strong crypto algorythms and checksums
  • a strong non repudiation (digital signature) system to identify the voters with no risk of error or fake signature => ok PKI with smartcards can do that part, but IMHO we cannot use anything weaker

The hard part is the trust in the system that opens the external message to store the identity of the voter, then opens the internal message to extract the vote. The problem is not technical here (many developpers can write that easily) but who will be able to prove that the code contains nothing able to store who voted what or to change some votes? And who will prove that what is installed in the voting server is exactly the compilation of the original code, that no malware nor evil admin could have changed it?

It is possible, but would require persons of different political parties able to analyze a source code, control the build procedure, the install procedure and the security of the whole system. Theorically, it is much simpler than setting up vote places all around a country, but we are used to the latter and not to the former

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • Thanks for your reply! Oregon is all postal votes already, otherwise at the polling booth we need full body scanners to remove mobiles, and eyeball scanners. On bullet point 1, MITM may happen but it can already at the post office. 2, the people working at the Ministry of Choice are strict and operate under laws (separate org to NSA). 3, yes different OTP for each voter. 4, signature forgery, scan signature and add to a 'lost' envelope with different vote. 5, 6, same ceremony at the MoC. . On other stuff the system has to be explained to a voter, so it has to be simple. – daniel Feb 24 '17 at 20:12
0

I don't think this solves the problem because a voter loyal to the basilisk should upload the private key or a hash of it to prove later they did not change the key (record the key giving process in real time or upload a copy later). So then a normal in person polling station, with TSA like security to search the voters for cell phones and recording devices, is a better way to avoid the coercion from the next potentially evil elected government.

Also at the key giving process even if the key is only shown through a telescope style eye piece which is also acting as a retina scanner the voter could still covertly read out to his microphone the key as he is writing it down. So you would need searches before this process anyway.

daniel
  • 774
  • 3
  • 12