[ajf3]

Why hasn't some state used a hash to allow trustworthy online voting? They could add a unique id on the back of your driver's license and then allow you to use your unique id to generate anonymous/one time use id's. They could then have a publicly accessible server that at all time displays a column with anonymous id, vote and every person can verify that their personal vote is correctly displayed.

[twright0]

In general, any process that allows an individual to verify their vote after the fact will enable coercion over voting. For example, in your proposal, an unscrupulous boss could make a demand before the election: "You must tell me the one-time ID you're voting with. If you choose not to, or if that ID doesn't show up in the registry having cast a vote for <candidate>, you're fired." I think that, no matter what the process is, if I can check how I voted I can also be made to check how I voted while someone watches over my shoulder and threatens consequences.

[MichaelBurge]

One solution is to make blackmailing people's votes illegal. Then the risk of someone recording him with a phone or hidden recorder would discourage your boss from blackmailing you. You could also make it illegal to reveal your vote to anyone else, to make it easier to spot coercion.

In extremely dishonest countries where the local courts, police, and election officials are all corrupt, a large mafia-style presence could coerce a lot of people into voting a certain way. But if any of these are at all trustworthy, it seems difficult to coerce anyone. And even then, the mafia abusing too many people(>5%) would cause them to riot.

[tajen]

@jjuhl answered that question somewhere else in the thread with homomorophic encryption (Numberphile : https://m.youtube.com/watch?v=BYRTvoZ3Rho ): The hash out of the machine doesn't tell who you voted for, but the sum of the hashes do tally properly. It's still unclear for me, but it's sure that there are mathematical solutions.

[rpearl]

Potentially, a canary id, "show this one and it'll claim you voted for ____ and also alert the state election board that it was accessed"

[bbcbasic]

That solves the boss problem. What about the government?

[rpearl]

vote manipulation by a foreign government is solved by having a verifiable id/token in the first place.

vote manipulation by the government the election is happening for isn't really something you can solve because in that case the election isn't the problem.

[knlje]

what if an ID was generated and printed just before voting with an option to print an arbitrary number of additional ID's of already voted people. the boss never knows what ID(s) he'd receive.

[donw]

So you come into work on Monday thinking that everything will be peachy-keen, and get an all-hands email telling you that any employee that can not prove that they voted for the "correct" candidate will forced to resign.

Any system that can be abused, will be.

[grzm]

Verifiable vote technology generally does not reveal who the vote was cast for, only that the vote was cast and included in the tally. This makes issues of coercion or vote selling moot.

[emiliobumachar]

Your scheme seems vulnerable to vote buying, e.g., $20 to vote for my candidate, but you have to show me your number so I can check.

[lacampbell]

But vote buying is already rampant. Politicians already buy votes - promising benefits to key voting demographics, promising more or higher paying jobs for civil servants or the military, or promising lobby groups favourable laws/taxes/aid. Democracies are practically based around vote buying already. So your concern seems strange.

[pdkl95]

Making promises that might be implemented isn't "buying" a vote. As you said, that is an intended part of democracy. Promises are not guarantees. Instead, vote buying is giving an explicit quid pro quo such as paying $10 for every "correct" vote receipt.

Yes, this doesn't fix every problem, but it does fix some problems that used to be common.

> So your concern seems strange.

Then I strongly suggest reading more about the history of voting methods and technology. (the talk in my other post has a nice overview)

We no longer have problems like offering whisky for votes or employers that threaten to fire anybody that doesn't vote a certain way (although occasionally they still try).

[woah]

What a strange straw man argument you make. You feel that any time the government does something that benefits someone it is "vote buying". We're discussing the physical mechanism of voting here and you've redefined basic terms to make some kind of off-topic political point.

[erichocean]

Because regularly people don't trust computer scientists...or math (if it's too complex, and hashes definitely are).

[quickben]

And they trust the current blackbox more?

The reality is, people have no choice.

[pdkl95]

> trustworthy online voting

That doesn't exist. See this[1] talk by Andrew Appel (CS Prof. at Princeton) for a very nice overview of the technology in the traditional pre-printed secret ballot and an why electronic/internet voting cannot be secured from all of the known threats.

TL;DR - Adding anything that can be used as an identifier enables vote buying or coercion. Adding computers introduces "Trusting Trust"-style problems where you never know what is actually running (hashing/verification only pushes the problem around).

[1] https://www.youtube.com/watch?v=abQCqIbBBeM

[habeanf]

That's not a valid argument. Nothing is secure from all known threats.

The question is how (in)secure is the system. In this case, the voting protocol doesn't provide a means of verification.

Secure voting protocols have been around for quite a few years. jjuhl left this comment above https://news.ycombinator.com/item?id=13032602

Dan Boneh's Crypto 2 coursera course (https://www.coursera.org/learn/crypto2#) covers the concept.

There are voting protocols that use the same foundations as public-key crypto to allow for vote verifiability - you can validate that your vote has been taken into account in the tally without sacrificing the privacy of your vote. There are solutions for voter fraud too.

[pdkl95]

> Nothing is secure from all known threats.

Of course. That's why it's important to reduce the attack surface. Adding electronics (or worse, software) adds a huge amount of attack surface. The attack could be at any point from the CPU-internals to the software.

> the voting protocol doesn't provide a means of verification

Yes. That's a feature. Any new system cannot re-enable voter coercion.

> Homomorphic encryption

I already mentioned[1] that video yesterday. It's an interesting idea, but even Prof. Rivest in the video isn't claiming it's ready for use.

More importantly, the reply by marten-de-vries[2] brings up a very good counter argument to any voting system based on fancy math: the general population won't accept it. The voting process doesn't work unless the population considers it legitimate, and it will be hard to convince them if they first have to learn enough math to understand homomorphic (or public-key) encryption.

This is still interesting research that may evolve into a new type of voting protocol in the future.

[1] https://news.ycombinator.com/item?id=13020917

[2] https://news.ycombinator.com/item?id=13021517

[habeanf]

> Adding electronics (or worse, software) adds a huge amount of attack surface. The attack could be at any point from the CPU-internals to the software.

You're missing the point. The voting protocol is built in such a way that you can verify that your vote was cast as intended, and that your vote was counted in the tally. Once everyone agrees on the voting protocol you don't need to trust someone else's electronics, you can do it on your own device, and use open source software.

> the voting protocol doesn't provide a means of verification Yes. That's a feature. Any new system cannot re-enable voter coercion.

You can have vote verification without enabling coercion. If you have a vote receipt it does not imply you can prove or disprove how you voted, but it does allow you to verify that your vote was included in the tally.

> More importantly, the reply by marten-de-vries[2] brings up a very good counter argument to any voting system based on fancy math: the general population won't accept it. The voting process doesn't work unless the population considers it legitimate, and it will be hard to convince them if they first have to learn enough math to understand homomorphic (or public-key) encryption.

I disagree. The general population doesn't know how RSA or AES work but we have HTTPS and the green-lock-thingy. You don't need to know how or why something works in order to reap its benefits.

[pdkl95]

> You're missing the point. The voting protocol is built in such a way that you can verify that your vote was cast as intended

No, you're missing the point. You don't know that the crypto was calculated properly, because you are not going to be calculating the crypto by hand. Prove - in the voting booth - that someone hasn't changed the software to give you the wrong crypto token.

> If you have a vote receipt it does not imply you can prove or disprove how you voted, but it does allow you to verify that your vote was included in the tally.

Do you not see that this is is a contradiction? Someone coercing you simply demands that verification.

"Bring your verification receipt if you want to keep your job."

> HTTPS and the green-lock-thingy

TLS doesn't rely on the public understanding it for legitimacy. The public doesn't care about how it works; they care about if it's a reliable security feature. Legitimacy is lost if there are too many public failures.

Voting requires an understanding how the winner was decided. Your proposal will never be accepted if it is, in the eyes of the general public, a black box you submit your vote into that is only interpreted by a priesthood that they have to trust to interpret the votes. Adding up votes is understandable, but homomorphic encryption might as well be black magic.

This understanding is more important than ever, because we are currently experiencing a revolt against technocracy. Brexit and Trump are aspects of this revolt. If you think you can get the population to accept a voting protocol they don't understand, then you haven't been paying attention to the current political climate.

[vehementi]

Check out the many threads about this on HN about why electronic voting is not going to be secure enough

[tntxtnt]

If everyone can verify their votes, then they can sell their votes. E.g. A knows A's hash, and A can show X that A's hash voted for X, so that X will give A $20.