Pro electronic secret voting
How to ensure secret voting in electronic form, online, from your computer, without leaving home? So that one person could give only one vote, and secretly? How to do it so that he can verify the results, that is, check how his voice is taken into account?
The task is not easy, you need:
')
Frankly, I have not decided this ideal formulation of the problem. But it turned out an algorithm that gives sufficient anonymity, accuracy and relatively little inconvenience for voters.
Immediately reject the existing online voting algorithm with the electronic signature of each vote, as it was done by Votenet in Estonia - there can be no anonymity and speech, all votes are signed by EDS, which excludes any anonymity. Hope that the "voices" will not be uncovered ... well, somehow not politically ....
Consider the classic, "paper" model of voting from the position of ITshnikov and compare what will change in it online ...
At first glance, the system meets the requirements specified at the beginning. Hooray? Not really. It is clear that the system will break. If “ballot stuffing” in “paper” elections is not difficult, then what is to wait if you can just copy and paste a line of characters? We simply rent a dozen huts in China with “captcha-clickers” and… .profit!
I propose the following defense mechanisms against “stuffing”. A full four.
Actually, the first, the most obvious, is the count of ballots issued, since we know for sure how many people visited the newsletter receiving page at any given time. So, if a bulletin of a specific series was received by N people (and they can be located in different cities - anonymity is observed), then in the “voting booth” you can organize a countdown. And as soon as SUDDENLY someone tries to submit the N + 1 bulletin of the same series (that is, “stuffing”), the entire series is canceled, the bulletins are given the status “spoiled” and, all the votes of those who voted with this series, are also canceled , people are invited to vote again - starting with item 1.
The second - The series of ballots are regularly, but at random intervals (30-60s), change. Very small (seconds) this time should not be - there will be a threat of anonymity. In a million-plus city in one second, with participation in elections 50% of voters, with a duration of elections of 7 days, just like in Estonia, only 15-30 people will vote every second. To ensure anonymity, it is necessary, nevertheless, that about 1000 voters receive one ballot paper, hence the interval of 30-60 seconds.
Third . At the same time, several “series” of bulletins are “issued”. Why this is needed - just below, which series to show to each next voter, is chosen, again, by chance.
Fourth - each series of ballots is not eternal, but has a “lifetime” - a period when it is “taken” by the “voting page”. For example, 20-30 minutes. After that, the ballot is no longer valid and, when trying to vote with an expired ballot, the voter is invited to go through authorization again, see item 1 This will avoid frauds with “deferred” voting, when someone types ballots, then throw them at the end. Well, if an honest person can’t make a choice in 30 minutes ... then it’s probably better for him to come back tomorrow ...
The model of the random period of issue and change of series is introduced in order to avoid attacks of the type of “synchronous stuffing”. For example, if some manipulators knew the exact size of a series of ballots and this series would be issued to all voters consistently (I originally had such a scheme), then it would be possible to track the appearance of the first newsletter of the new series and organize a “stuffing” exactly by “number” ballots, thereby not giving anyone more votes in this series and the number of ballots match. In the event of an accidental change of ballots, this becomes impossible: the exact number of “issued” ballots is known only at the last moment of the “issue” of this series, since the time interval is random, and the number of “issued” ballots is determined by the number of voters voting during this period. Quite a stochastic quantity, I think.
Of course, such a scheme is not very convenient for voters, but it doesn’t allow for throwing in, since it makes them extremely costly and risky - after each “stuffing” you will have to re-vote “until blue in the face”. And, for example, after 100 re-ballots, it will be possible to identify individuals who, for some reason, always “find themselves” in each re-ballot and begin with them ... individual work.
Frauds are also excluded, according to David Bismarck's method, by receipts.
In order for voters to be additionally sure of the secrecy of voting, it is necessary to publish all the “overdue” ballots so that people can make sure that they really all were typical.
Yes, such a vote may take more than one day, but for him it is not necessary to keep an open network of polling stations throughout the country. So, as the experience of Estonia shows, e-voting may well take several days ...
The task is not easy, you need:
- Make sure that the person is authorized and has the right to vote,
- Give him strictly one anonymous newsletter,
- Assure the choice of a particular candidate,
- Anonymously accept his voice, from his personal computer,
- Make it convenient for the voter.
')
Frankly, I have not decided this ideal formulation of the problem. But it turned out an algorithm that gives sufficient anonymity, accuracy and relatively little inconvenience for voters.
Immediately reject the existing online voting algorithm with the electronic signature of each vote, as it was done by Votenet in Estonia - there can be no anonymity and speech, all votes are signed by EDS, which excludes any anonymity. Hope that the "voices" will not be uncovered ... well, somehow not politically ....
Consider the classic, "paper" model of voting from the position of ITshnikov and compare what will change in it online ...
- A person comes to the polling station and is authorized. This has already been decided by EDS + biometrics, if necessary - videoconference with the election commission. A person works in a protected environment, in his office.
- As a result of registration, a list of voter addresses is laid out in public. Already at this stage, everyone can check that he is on the lists, another 146 people were not registered in his apartment, and a new microdistrict did not grow up next night. (added from the post AlexSky habrahabr.ru/post/156423 . Thanks for this important thought!)
- Then he is given one typical, identical paper newsletter. In electronic form, we replace it with some arbitrary, random and sufficiently long character sequence that a person can copy from a special page. These sequences are generated in a series that is the same for everyone who votes at a given time (see below). The voter gets access to this page only 1 time per vote. For re-access, he will have to fully go through authorization again, and a second vote “erases” the results of the previous one (here, the experience of Estonia is valuable). Perhaps it is still advisable to give a person the opportunity to re-vote no earlier than in a day ... So the protection from DDos will be more reliable.
- The voter goes to the booth, where he makes a decision, puts a mark and puts the ballot in the ballot box. And here I propose to do this in the electronic version:
- “Booth” - the voting page - is in absolutely free access. That is, the voter can connect to it from his computer using any imaginable and inconceivable anonymizers. This guarantees anonymity.
- On the page - fields for entering ballots, by the number of voting options. No agitation, of course ... Although I don’t see the point of this restriction, because the whole Internet is nearby. The system is set up in such a way that it accepts only “bulletins” - character sequences from step 2.
- The voter copies the ballot in the field opposite the selected option and presses the “Vote” button.
- Actually, in the paper version this can be completed. But in the electronic version it is a sin not to put a verification of the vote - a certain mark on the ballot confirming that this particular ballot voted for this option. How to do this anonymously? Add your random string of characters to the additional field - “Receipt”! This can be done simply by asking the user to press 30-50 random keys, or, as is done in the bank digital signature algorithms, to move the mouse for a while around the screen. We get a unique signature and anonymity. Then in response to the voter is given a hash of the code of the ballot and receipt. By this receipt, a person can always find out how his voice was taken into account. I took this idea from David Bismark: www.ted.com/talks/lang/eng/david_bismark_e_voting_without_fraud.html
- And of course, to scare away the bots (remember that the box-kabinka is freely available), you should also put a long-long CAPTCH.
At first glance, the system meets the requirements specified at the beginning. Hooray? Not really. It is clear that the system will break. If “ballot stuffing” in “paper” elections is not difficult, then what is to wait if you can just copy and paste a line of characters? We simply rent a dozen huts in China with “captcha-clickers” and… .profit!
I propose the following defense mechanisms against “stuffing”. A full four.
Actually, the first, the most obvious, is the count of ballots issued, since we know for sure how many people visited the newsletter receiving page at any given time. So, if a bulletin of a specific series was received by N people (and they can be located in different cities - anonymity is observed), then in the “voting booth” you can organize a countdown. And as soon as SUDDENLY someone tries to submit the N + 1 bulletin of the same series (that is, “stuffing”), the entire series is canceled, the bulletins are given the status “spoiled” and, all the votes of those who voted with this series, are also canceled , people are invited to vote again - starting with item 1.
The second - The series of ballots are regularly, but at random intervals (30-60s), change. Very small (seconds) this time should not be - there will be a threat of anonymity. In a million-plus city in one second, with participation in elections 50% of voters, with a duration of elections of 7 days, just like in Estonia, only 15-30 people will vote every second. To ensure anonymity, it is necessary, nevertheless, that about 1000 voters receive one ballot paper, hence the interval of 30-60 seconds.
Third . At the same time, several “series” of bulletins are “issued”. Why this is needed - just below, which series to show to each next voter, is chosen, again, by chance.
Fourth - each series of ballots is not eternal, but has a “lifetime” - a period when it is “taken” by the “voting page”. For example, 20-30 minutes. After that, the ballot is no longer valid and, when trying to vote with an expired ballot, the voter is invited to go through authorization again, see item 1 This will avoid frauds with “deferred” voting, when someone types ballots, then throw them at the end. Well, if an honest person can’t make a choice in 30 minutes ... then it’s probably better for him to come back tomorrow ...
The model of the random period of issue and change of series is introduced in order to avoid attacks of the type of “synchronous stuffing”. For example, if some manipulators knew the exact size of a series of ballots and this series would be issued to all voters consistently (I originally had such a scheme), then it would be possible to track the appearance of the first newsletter of the new series and organize a “stuffing” exactly by “number” ballots, thereby not giving anyone more votes in this series and the number of ballots match. In the event of an accidental change of ballots, this becomes impossible: the exact number of “issued” ballots is known only at the last moment of the “issue” of this series, since the time interval is random, and the number of “issued” ballots is determined by the number of voters voting during this period. Quite a stochastic quantity, I think.
Of course, such a scheme is not very convenient for voters, but it doesn’t allow for throwing in, since it makes them extremely costly and risky - after each “stuffing” you will have to re-vote “until blue in the face”. And, for example, after 100 re-ballots, it will be possible to identify individuals who, for some reason, always “find themselves” in each re-ballot and begin with them ... individual work.
Frauds are also excluded, according to David Bismarck's method, by receipts.
In order for voters to be additionally sure of the secrecy of voting, it is necessary to publish all the “overdue” ballots so that people can make sure that they really all were typical.
Yes, such a vote may take more than one day, but for him it is not necessary to keep an open network of polling stations throughout the country. So, as the experience of Estonia shows, e-voting may well take several days ...
Source: https://habr.com/ru/post/156121/
All Articles