Validation of Ballot Chaining #252
Replies: 9 comments 4 replies
-
|
Validation of ballot chaining has two aspects that might cause problems:
|
Beta Was this translation helpful? Give feedback.
-
|
This might be a good opportunity to explain the rationale behind ballot chaining. It is not critical to E2E-verifiability or anything else that we do, and we could simply eliminate it if it becomes too onerous. The value of ballot chaining is that it mitigates what is sometimes called a "trash attack". Without chaining, there is nothing to stop malicious insiders from simply discarding ballots they they might suspects will not be checked. One instantiation would be that a poll worker collects the trash outside of a poll site at the end of the day and picks up any tracking codes that have been discarded. Although not impossible, it is very unlikely that anyone will miss any of these codes if they are simply deleted and replaced with fraudulent new ones. By chaining ballots, and specifically tacking codes, it becomes impossible for rogue insiders to replace ballots after the fact. Any change in the middle of a chain would alter all subsequent tracking codes. Rogue poll workers could potentially still see a voter discard a tracking code and quickly delete the ballot before the next voter arrives, but this is much harder to effect. There is also nothing to stop the end of a chain from being altered, so the ideal would be to ensure that the final tracking code has high visibility by engaging in a process that causes a final tracking code to be produced and shown to everyone present when a poll is closed. It's presumably simplest to have the chains be per device to minimize communication and dependencies. Although there is a lot of flexibility in how this is implemented. Also, as RC says, there is no point in a chain for the RLA scenario since the attack does not apply in that case. |
Beta Was this translation helpful? Give feedback.
-
|
I have two modest requests:
On a BMD which wants to output some sort of hash commitment, it can ask the log machinery for the latest commitment, and output that alongside whatever else it's writing into the voter's receipt. In that paper that Crosby and I wrote in 2009, we thought a lot about these sorts of issues. I'd hope we can benefit from some of that thinking now. Also, there's some old Python code banging around that we can use as a template, although it's going to be Python2, so no type annotations, etc. |
Beta Was this translation helpful? Give feedback.
-
|
I’m all in on Merkle aggregation; it’s now my phrase of the week and maps exactly to how we (“we” meaning people that are not me) were thinking of things
|
Beta Was this translation helpful? Give feedback.
-
|
As an outsider, Im swayed by Josh's argument that chaining is important, and despite his disclaimers, maybe even necessary. I do understand its not useful in RLA. And that a central scanner might output very large chains that deserve big-O attention. The use case I am wondering about is when the election record comes from a single precinct level voting machine (what's a typical ballot count range for those?). But then there are thousands (how many?) of those in a populous election district. What could help prevent bad actors from adding spurious election records? |
Beta Was this translation helpful? Give feedback.
-
|
These are some notes from looking at the latest spec, thought it would be worth consolidating here: 6.A H0 = H(Q̅)We talked about letting H0 be something else, though I dont see any problem with it being H(Q̅ ). 6.B H_i = H(H_i−1, D, T, B_i )
6.C the closing H(H_last , "CLOSE") is correctly computed from the final tracking code H_last .Seems like you could just store H_last in the election record, maybe the PublishedCiphertextTally? |
Beta Was this translation helpful? Give feedback.
-
|
6.A The initial hash H_0 should include the extended base hash Q̅. If desired, it could contain a per-device start code or any other additional date. 6.B Yes. The detailed format of the date, time, etc. can be chosen as convenient for the implementation. But we should make them clear for everyone to see and replicate. 6.C An explicit CLOSE of each hash chain is probably not necessary, but it seems like a useful safety feature. The process expectation would be that when poll workers take the steps to close a precinct that one of these steps will cause a closing hash to be computed and then immediately published to all present along with the cleartext tallies. We could probably just publish the final tracking code at that time, but an explicit closing hash precludes any possibility of subsequent hashes being tacked onto the end. |
Beta Was this translation helpful? Give feedback.
-
|
Hello hello, just wondering if there's any ideas whether a Merkle tree-like structure for efficient inclusion is on the cards for the near future? Or is it more a long-term goal? |
Beta Was this translation helpful? Give feedback.
-
|
moving this discussion to the main electionguard repo: |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
This is to continue the conversation of Ballot Chaining from this issue:
Main Issue
Election-Tech-Initiative/electionguard-python#272
Related Issue
Referencing the relevant members of that convo
@JohnLCaron
@AddressXception
@rc-ms
@danwallach
@benaloh
Beta Was this translation helpful? Give feedback.
All reactions