| 1 |
On Sat, 2021-08-28 at 12:30 +0200, Michał Górny wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> Please review the following pre-GLEP. |
| 5 |
> |
| 6 |
|
| 7 |
I don't see the word "blockchain" anywhere? AFAIK it is required for |
| 8 |
all new voting protocols. |
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
> 3. When the voting phase beings, the system creates random identifiers |
| 13 |
> for all voters. Each identifier is encrypted using voter's PGP key |
| 14 |
> and sent via email to the voter. The voter-identifier mapping is |
| 15 |
> discarded immediately to reduce the risk of it leaking. |
| 16 |
> |
| 17 |
|
| 18 |
Maybe it goes without saying, but anyone with root on the system can |
| 19 |
obtain that mapping if he or she really wants to. |
| 20 |
|
| 21 |
It's also important that the identifiers not just be random, but |
| 22 |
randomly chosen from a population so large that they are impossible to |
| 23 |
guess or brute-force. And we should keep in mind that the identifiers |
| 24 |
themselves (but not the mapping) will always be available to someone. |
| 25 |
|
| 26 |
|
| 27 |
> |
| 28 |
> 5. When the voting phase ends, the system publishes the results |
| 29 |
> and the master ballot. |
| 30 |
> |
| 31 |
|
| 32 |
I can think of a few problematic scenarios: |
| 33 |
|
| 34 |
* An infra member takes the identifier of someone who doesn't vote, |
| 35 |
goes to the library, uses seven proxies, and votes for himself. |
| 36 |
Catching this requires a person who did not vote to verify the |
| 37 |
absence of his identifier on the master ballot, and to reveal that |
| 38 |
he did not vote. |
| 39 |
|
| 40 |
* Same as above, but the stolen identifier belongs to someone who |
| 41 |
_does_ try to vote. Do we reject his vote? Count both of them? |
| 42 |
Sorting this out would probably require the legitimate voter to |
| 43 |
reveal information about his vote; at the very least, that he did |
| 44 |
in fact vote. |
| 45 |
|
| 46 |
* The same person votes more than once. Can we distinguish this from |
| 47 |
the case above? |
| 48 |
|
| 49 |
* Anyone with access to the votes can just change them. This can be |
| 50 |
caught, but only if the voters verify the master ballot and are |
| 51 |
willing to speak up and say e.g. "I didn't vote for mgorny!" |
| 52 |
|
| 53 |
|
| 54 |
None of these are fatal flaws, since votify is even easier to hack. I'm |
| 55 |
only pointing them out because I think it's best to have the weaknesses |
| 56 |
out in the open. |
| 57 |
|
| 58 |
There is a lot of research being done on anonymous, verifiable (etc.) |
| 59 |
voting protocols, but it's hard to tell which ones are junk. The math |
| 60 |
literature often overlooks the implementation details, and that's |
| 61 |
usually where things go wrong. On the other hand, some implementation |
| 62 |
details can be ruled out-of-scope. It's hard to blame the voting system |
| 63 |
if the government decides to change the results and What Are You Gonna |
| 64 |
Do About It? (Some faith in infra is necessary.) |
| 65 |
|
| 66 |
My point is: in the future it may be worthwhile to document all of the |
| 67 |
requirements that we have for a voting system and just ask an expert |
| 68 |
for some recommendations that satisfy our criteria. But in the |
| 69 |
meantime, this sounds like an easy improvement to the process. |
Archives