[rstuart4133]

> Because "scanning a QR code in an app" would lead to ...

> 1) integrity loss, ie reduction of peers in the secret sharing concept.

> 2) privacy loss, ie vote coercion, "show me you voted for our dear leader or something bad happens".

Following your instincts instead of doing the work required to understand Prêt à Voter will lead you to that conclusion. Your instincts are wrong in this case. Neither of your claims are true. The first paragraph of the Wikipedia page makes that plain. It says in part:

> In particular, Prêt à Voter enables voters to confirm that their vote is accurately included in the count whilst avoiding dangers of coercion or vote buying.

In case you haven't thought about it, vote buying is the hardest problem to solve for secret ballots. It is hardest because both the voter and a malicious third party are working cooperatively to corrupt the system. If you come up with a system that prevents that, you've pretty much solved all retail voting attacks. Prêt à Voter makes a vote verifiable, while ensuring votes can't be sold.

While you can't sell your vote with the typical implementation of Prêt à Voter, you can do it with your favoured paper ballot system:

1. Mallory obtains an authentic, blank ballot, and fills it in way he wants. Perhaps he does that by voting, pocketing the ballot paper, and putting the dummy in the ballot box.

2. Mallory gives the pre-filled ballot to a voter willing to sell his vote for an agreed sum outside the voting booth, where the transaction can't be detected. The voter isn't given his payment yet.

3. The voter goes into the secure voting place and is given a blank ballot. In the privacy afforded to him to cast a secret ballot he pockets the blank ballot, replacing it with the pre-filled ballot given to him by Mallory.

4. The voter casts the paid for vote.

5. The voter meets with Mallory in their secret spot, hands over the blank ballot and gets paid.

Rinse, lather and repeat all the way to winning the election.

If you haven't seen that little caper described before you will find it surprising. I did. But it is nowhere near the surprise you will get from spending the time to learn how Prêt à Voter achieves what appears to be impossible.

[croon]

> Following your instincts instead of doing the work required to understand Prêt à Voter will lead you to that conclusion. Your instincts are wrong in this case. Neither of your claims are true. The first paragraph of the Wikipedia page makes that plain.

This is from the actual paper, not wikipedia:

> C. Audit of ballot forms Voters may wish to check that the order of candidates claimed to be encrypted on the right-hand side does indeed correspond to the list printed on the left-hand side. If this were not the case then a vote cast for one candidate may be considered after decryption as a vote for a different candidate. To provide such reassurance, voters may elect to ‘audit’ a ballot form. This involves removing the left-hand side of the ballot form, and asking the system to decrypt the candidate list from the onion on the right-hand side. The voter can then check that the decrypted list matches the list of candidates printed on the left-hand side. In principle, this audit can be carried out as often as the voter wishes. This gives the voter confidence that the ballot forms have been correctly constructed.

> However, the voter is not allowed to cast a vote on a decrypted ballot form. Once the candidate list associated with a onion is known, vote privacy, and hence resistance to coercion and vote-selling, is lost. The audit process gives an individual voter confidence that the ballot forms are correctly constructed, but does not allow her to check the ballot form that she is using to cast the vote.

What I said in GP is that you can't verify WHAT you voted for AFTER the fact, because the concept of coercion hinges on being able to threaten or pay for something the victim can provide. It's a logical proof, you can't design that away. I'm not saying it's not a valid trade-off.

[rstuart4133]

> What I said in GP is that you can't verify WHAT you voted for AFTER the fact

Agreed, you can't prove you voted in a particular way in any system that prevents vote buying. I'm struggling to see why that is relevant to this discussion.

What Prêt à Voter does is allow you to confirm that your vote was counted accurately. Its magic is it does that without revealing how you voted. You've now read the paper and you didn't contest that, so I'm guessing you concede it's true.

My point above was the two claims you made, ie scanning a QR code in an app would somehow lead to integrity loss, and/or privacy loss in Prêt à Voter system are wrong. You don't seem to be contesting that either, so I guess you now concede they are indeed wrong.

You made those incorrect claims after I pointed out your earlier claim that checking your vote in a Prêt à Voter system is so difficult no-one would do it was also wrong, as it boils down to scanning a QR Code with an app. I guess you had to concede that is indeed pretty easy, so you invented those incorrect "facts" to prove scanning a QR Code couldn't work for other reasons. But it does work.

It's not a good track record, is it? One invented fact after another, all in an effort to prove end-to-end verifiable voting is somehow worse or less secure than our current paper systems.

That's also wrong of course, but worse than that many of our current systems aren't the "secret ballots cast in a secure polling place" system you are assuming we use. They are postal, or electronic, or worse the combination of the two we call internet voting. These electronic systems are particularly susceptible to wholesale attacks, and in my view they need something like Prêt à Voter to have a hope of being as secure as the old paper systems.

I will concede one thing. Personally I doubt in an election everyone thought was well run that many people would bother checking their vote was counted correctly, but that's not because it's hard, it's for the same reason we don't recount every paper ballot if it isn't close - why bother? But if there was a whiff of fraud in the air, it seems likely a lot of people would do the check, particularly if the Prêt à Voter receipt was recorded on their phone when they voted. That way they would not even have to scan a QR Code. They just feed the receipt to the checking app when the election results are published.

[croon]

I haven't been inconsistent, nor invented anything, I would suggest getting a third party to read this thread if you believe so.

However, I would also suggest reading the guidelines, specifically these:

> Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.

> When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."

> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.

> Please don't comment on whether someone read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that".