electionguard icon indicating copy to clipboard operation
electionguard copied to clipboard

Published 20 hours ago verified publisher icon Election-Tech-Initiative

✨ Add ballot validation to verifier's Validation Steps in the specification.

Open JohnLCaron opened this issue 2 years ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Suggestion

The method CiphertextBallot.is_valid_encryption() should be called on each SubmittedBallot before tallying. This is done in CiphertextTally.batch_append(). However there is nothing in the spec that mentions the need for this, nor is it part of the "Validation steps" for an election verifier.

This check prevents the SubmittedBallot from being modified after encryption and before tallying, in a way that would affect the tallied results. Adding this test to the verifier would ensure that the verifier would catch any such problem.

__

Possible Implementation

For each selection in the ballot:
  selection.crypto_hash = H(object_id, description_hash, ciphertext.crypto_hash())

For each contest in the ballot:
  contest.crypto_hash = H(object_id, description_hash, List[selection.crypto_hash])

For each ballot:
  crypto_hash = H(object_id, manifest_hash, List[contest.crypto_hash])

Anything else?

The ballot chaining is necessary to prevent this vulnerability also.

3.3.4 Tracking codes (spec 1.0) has this sentence implying the hash chain is optional:

In addition, if the election definition file specifies a hash chain (the second option above) ...

If there is no hash chain, one would need to ensure that the SubmittedBallot.crypto_hash was not modified in some other way.

JohnLCaron avatar Mar 11 '22 15:03 JohnLCaron

Currently, a verifier does not need to recompute the crypto_hash of Manifest, ContestDescription, or SelectionDescription. Nor are the ContestDescription, or SelectionDescription crypto_hash() included in the election record.

This suggestion would require either to include those in the election record, or for a verifier to recompute them. For a verifier not using the reference library, it currently has to reverse engineer the hash function.

Im not sure, but it seems useful for a verifier to have the ability to recompute the crypto_hash, as a check against possible manipulation. Will add as a possible enhancement.

JohnLCaron avatar Mar 18 '22 18:03 JohnLCaron