1 |
On Sat, 2021-08-28 at 12:30 +0200, Michał Górny wrote: |
2 |
> Hi, |
3 |
> |
4 |
> Please review the following pre-GLEP. |
5 |
> |
6 |
|
7 |
I don't see the word "blockchain" anywhere? AFAIK it is required for |
8 |
all new voting protocols. |
9 |
|
10 |
|
11 |
|
12 |
> 3. When the voting phase beings, the system creates random identifiers |
13 |
> for all voters. Each identifier is encrypted using voter's PGP key |
14 |
> and sent via email to the voter. The voter-identifier mapping is |
15 |
> discarded immediately to reduce the risk of it leaking. |
16 |
> |
17 |
|
18 |
Maybe it goes without saying, but anyone with root on the system can |
19 |
obtain that mapping if he or she really wants to. |
20 |
|
21 |
It's also important that the identifiers not just be random, but |
22 |
randomly chosen from a population so large that they are impossible to |
23 |
guess or brute-force. And we should keep in mind that the identifiers |
24 |
themselves (but not the mapping) will always be available to someone. |
25 |
|
26 |
|
27 |
> |
28 |
> 5. When the voting phase ends, the system publishes the results |
29 |
> and the master ballot. |
30 |
> |
31 |
|
32 |
I can think of a few problematic scenarios: |
33 |
|
34 |
* An infra member takes the identifier of someone who doesn't vote, |
35 |
goes to the library, uses seven proxies, and votes for himself. |
36 |
Catching this requires a person who did not vote to verify the |
37 |
absence of his identifier on the master ballot, and to reveal that |
38 |
he did not vote. |
39 |
|
40 |
* Same as above, but the stolen identifier belongs to someone who |
41 |
_does_ try to vote. Do we reject his vote? Count both of them? |
42 |
Sorting this out would probably require the legitimate voter to |
43 |
reveal information about his vote; at the very least, that he did |
44 |
in fact vote. |
45 |
|
46 |
* The same person votes more than once. Can we distinguish this from |
47 |
the case above? |
48 |
|
49 |
* Anyone with access to the votes can just change them. This can be |
50 |
caught, but only if the voters verify the master ballot and are |
51 |
willing to speak up and say e.g. "I didn't vote for mgorny!" |
52 |
|
53 |
|
54 |
None of these are fatal flaws, since votify is even easier to hack. I'm |
55 |
only pointing them out because I think it's best to have the weaknesses |
56 |
out in the open. |
57 |
|
58 |
There is a lot of research being done on anonymous, verifiable (etc.) |
59 |
voting protocols, but it's hard to tell which ones are junk. The math |
60 |
literature often overlooks the implementation details, and that's |
61 |
usually where things go wrong. On the other hand, some implementation |
62 |
details can be ruled out-of-scope. It's hard to blame the voting system |
63 |
if the government decides to change the results and What Are You Gonna |
64 |
Do About It? (Some faith in infra is necessary.) |
65 |
|
66 |
My point is: in the future it may be worthwhile to document all of the |
67 |
requirements that we have for a voting system and just ask an expert |
68 |
for some recommendations that satisfy our criteria. But in the |
69 |
meantime, this sounds like an easy improvement to the process. |