Tuesday, 12 December 2006

Pre-encrypted ballots

I'm assuming from the angle that Jason Kitcat came in onto this subject that he agrees that pre-encrypted ballots do successfully protect votes on the wire from alteration and inspection? He's not offered any counterclaims in this respect so I think it's safe to assume he does agree (not that he could ever say so).

I'm not sure which description Jason was reading with regard to the allocation of PCINs / response codes as the following statement is just downright wrong:

Indeed, because the candidate numbers are unique to that voter then voters will worry that their vote will be more easily traceable than before.

BZZZT! Sorry, PCINs are not unique to the voter, they just have to be unique in combination with the voters credentials and the contest being voted in. I'd be interested to hear how a five digit number can be made unique in an election with an electorate of 200,000! For Jason to make this assertion demonstrates:

  1. He didn't read the description, or
  2. Gathered only the most superficial understanding of the process.
As to whether or not voters will trust the process of PCIN allocation and response code verification we'll have to see. I don't know of any pilots that have made use of the pre-encrypted ballot yet, and would be interested to see how any that did went. But that's largely the point of pilots isn't it? To try things out, find out how they're accepted? I'm sure that any electorate that in general trusts the voting system would be more than capable of trusting a pre-encrypted ballot.

Finally an attack against the list (actually there would be two, split the secret) would require breaking into two systems, gaining access to the private decryption keys (held on smartcards) and decrypting the relevant data, all of which actually improves the security of your vote. To simply make the sweeping statement :

Instead of changing individual digital ballots, why not attack this list?

Assumes we'd just put the list together in clear text. We wouldn't be so dumb, sign the data with the generators private key and you've got another machine to break into and retrieve a private key from a physical smart card. And you can add more security on top of that. It's not 100% secure, but then nothing in the entire history of human existence can claim to be 100% secure, certainly a paper ballot isn't either.

More soon...