Open electronic voting (proof by contradiction)
Following in the footsteps of Habratopik and numerous others about anonymous , open , honest voting, I want to conduct an independent investigation and come to a simple and understandable decision about what is achievable and what is not, and under what conditions.
In terms of terminology close to programmers, find the CAP for this task. For example, we all know that reducing the error of the first kind, the error of the second kind increases . By drawing an analogy, reducing anonymity, we increase credibility; increasing the anonymity, reduce the reliability.
In general, in order to be objective, and not unfounded, we use the method of excluded third (the method by contradiction). I hope the representatives of intuitionistic logic will not mind.
')
Further reasoning does not seem obvious and can be considered as compromises or options. And, yes, I do not exclude that in theory all voting systems already use these theses.
On the basis of the abstracts obtained above, I will give a voting model that seems simple to me and satisfies the requirements outlined. All, as before, go to the polling stations with a randomly unique number (generated in advance or at the polling station), but known only to the voter. Then the pair number-choice + group signs is put in the ballot box or immediately sent to the CEC. Where it becomes available in 10-30 minutes in the general database (delay, so that it is impossible to track the voters of the time).
In order to exclude all applications, I voted for one, and my vote was replaced (This is always possible in an anonymous system!), The following procedure is carried out.! A person is invited to check the result, after eating a pie and 15 minutes of waiting, and if something does not match, write a statement with the competent authorities and change the voice. Of course, this procedure instantly deanonimizes a person, but will allow him to make his choice!
This model does not guarantee that any election can take place. If, for example, coming home> 20% of the population did not find their results or the group indicators deviated far from the census norm, then of course the elections should be recognized as invalid and held again.
Thanks for attention.
In terms of terminology close to programmers, find the CAP for this task. For example, we all know that reducing the error of the first kind, the error of the second kind increases . By drawing an analogy, reducing anonymity, we increase credibility; increasing the anonymity, reduce the reliability.
In general, in order to be objective, and not unfounded, we use the method of excluded third (the method by contradiction). I hope the representatives of intuitionistic logic will not mind.
')
Theses
- The results should be open to all and all verifiable, by counting the votes.
Suppose the results are not open. That is, the results are not published, in general, or one or two numbers are published, that is, only the final results are available. It looks unreliable, because on the way from the results to the final results, there could be an error that affected the result. In any case, if all the results are not available to all, there may be collisions, misunderstandings and double counting. In fact, the situation that all results are available only to a limited circle of people is rightly considered discriminatory and unacceptable. So, the option with the closed results is not applicable! hp
Actually, there are methods for checking results by indirect signs (exit poll, distribution of voting time depending on votes), but all these methods are complex and have a major drawback, they are indirect .
Conclusion According to the voting results, the base (table) with all votes and choice should be published. - Anyone should be able to verify their vote on the published database.
Suppose that someone can not check how he voted. Hence, it is possible that someone in the middle could have replaced his voice (MIM problem). This is highly undesirable and unacceptable. hp
Of course, following the rules of simple anonymity, we do not want the database to write the name and address of the person. So there must be some key, known only to the man himself! - The key should not be issued by any authorization center.
If we imagine that the key is issued by some center, then this center has all the data to match the person and his voice (the base of votes has been published). Even possessing unlimited trust, the center (or someone else) can always abuse it. So, we will consider this aspect of deanonymity as undesirable. hp
It is worth noting that the secret of determining the key and the secret of voting are not connected in any way. For example, to ensure the secrecy of the vote in most cases is impossible, even using the Internet and https (someone can always stand behind). - The voices database should contain some group anonymous, but verifiable features.
If the database does not contain any secondary signs regarding a person, then it is extremely easy to throw in votes, which is not desirable.
One of these signs may be the total number of votes. The obvious fact is that the number of votes should not exceed the number of the population. You can also include the gender or polling station or the voting time (?). For example, independent observers can check the number of people who voted at one polling station and be guided by this to verify the results.
Further reasoning does not seem obvious and can be considered as compromises or options. And, yes, I do not exclude that in theory all voting systems already use these theses.
Working model
On the basis of the abstracts obtained above, I will give a voting model that seems simple to me and satisfies the requirements outlined. All, as before, go to the polling stations with a randomly unique number (generated in advance or at the polling station), but known only to the voter. Then the pair number-choice + group signs is put in the ballot box or immediately sent to the CEC. Where it becomes available in 10-30 minutes in the general database (delay, so that it is impossible to track the voters of the time).
In order to exclude all applications, I voted for one, and my vote was replaced (This is always possible in an anonymous system!), The following procedure is carried out.! A person is invited to check the result, after eating a pie and 15 minutes of waiting, and if something does not match, write a statement with the competent authorities and change the voice. Of course, this procedure instantly deanonimizes a person, but will allow him to make his choice!
This model does not guarantee that any election can take place. If, for example, coming home> 20% of the population did not find their results or the group indicators deviated far from the census norm, then of course the elections should be recognized as invalid and held again.
Unresolved issues
- Anonymity of voting . Strictly speaking, I do not know how it can be solved. In principle, the classical methods work quite well: an urn, an individual room with a computer or a voting machine.
- Miscalculation statements and authorities . In any system with anonymity, it is not possible to check for whom the person really voted. Therefore, there is a high probability that a certain group of people will constantly disrupt the elections due to the huge number of “dishonest” statements. At the same time, this may be a sign of constant fraud. What exactly of the two is difficult to determine.
- Deanonimization through group signs . For example, a site number is a group attribute, but oddly enough some sites may be small and sufficiently closed to easily identify the voice of a certain person. The method of struggle: an increase in aggregation of the group attribute.
Thanks for attention.
Source: https://habr.com/ru/post/156153/
All Articles