Re: Auditing subcommittee meeting at clerk convention in Colorado

[Paul E Condon <pec@xxxxxxxxxxxxxxxx>]

On Thu, Jan 15, 2009 at 10:03:31PM -0700, Neal McBurnett wrote:
> On Thu, Jan 15, 2009 at 11:45:50AM -0700, Paul E Condon wrote:
> > On Thu, Jan 15, 2009 at 07:17:28AM -0700, Neal McBurnett wrote:
> > > > > > re. the footnote:
> > > > > > "If a computer pseudo-random number generator is used to help select
...
> Remember that it is essential that before the verifiable random
> selection is done, everything is published so that everyone knows what
> would be selected based on the random seed.  All the results are
> published, all the weights for all the precincts, etc.  Nothing must
> be left to the discretion of the officials except the random seed, or
> else once again the whole thing is not verifiable or can be
> manipulated.
> 
> Now suppose the attacker just needs to make sure that one particular
> precinct is not audited, for some odd reason.  All they have to do is
> calculate for each random number whether that precinct is audited or
> not.  If it is just a time stamp, they just have to wait until a time
> which results in no audit for the one they have to cover up.  If it is
> a product of timestamps, then the last person to go, who might well
> know what all the other timestamps were, simply again pre-calculates
> the results and chooses a favorable one.
> 
> While it may still be hard to use that to do a whole lot of mischief
> if you can only choose a few bits of the random number, the point is
> that there are far better methods than timestamps, whether or not you
> like ceremonies.

I think there are both subtle and foolish ways to use time stamps. On
reading Rivest, I formed an impression, perhaps mistaken, that his
method involved a lot of hand manipulation of data, and that some
subtle use of time stamps could be more simple to implement. I
suggested some ways to use time stamps that I think might be useful in
achieving the desired goal of an unbiased selection with less
fussing. There is nothing seriously wrong in principle with the Rivest
proposal to my knowledge. It just seemed to me that execution would be
onerous. But you see no problem with execution and you are the one
doing the work. I think uniqueness of the Rivest solution has not been
proven. That is to say, there are likely other ways of achieving
unbiased selection that meet the design requirements. I don't want to
continue to argue for a use of time stamps. I just thought there was a
problem with the Rivest proposal, which I now realize there is not.

> 
> For the other issues where you say that Rivest implies something in
> the paper, I remain puzzled, since that's not how I read it.  Page
> numbers would be helpful.
> 

In Rivest paper, page 3, 2nd column, 3rd paragraph, last sentence: 
"In particular, the election officials at(sic) precinct Pi can easily
do so, as can any citizen with a simple calculator."

Of course, we both understand why it's important at some level that
any citizen can verify, but why is that secondary to the officials at
a precinct doing a portion of the audit work? It's good that you
ignored this detail. I found it very off putting.

I've thought more about the Rivest work since my original email. His
function f(S;i) is more of a range of random hash functions than a
generator of a random sequence. I was mistaken in thinking a sequence
of random numbers was called for. I'm still a little confused as to
why this selection of a function is desired. I had thought it had to
do with the expectation that some of the work was to be done at the
precinct, but that's not so. Even if the reason for rejecting random
sequence generators turns out to be valid, why this particular set of
random hash functions? It seems I have more questions than answers.

Peace, and thanks for your patience.

-- 
Paul E Condon           
pecondon@xxxxxxxxxxxxxxxx