Could a malicious election administrator make the trustees live in their own world?

[pereira]

Hi!

It is great to see all this documentation being made public!

I am looking at the threat model document, and am surprised by the absence of direct communication between the trustees and the public bulletin board: the election administrator always seems to stand between them.

What would then prevent a malicious election administrator from running a full trustee key generation ceremony alone, with one set of trustee signing keys that he generated himself and placed in the public election manifest, while the actual trustees live in a different world, in which the election administrator shows a different election manifest containing the "real" trustee public keys (on which they will all agree) and in which the trustees generate an election key that will never make its way to the voting application and bulletin board.

Similarly, would the election administrator be able to present to the trustees a "fake" set of voter signature keys, so that voters would encrypt all their ballots with the election administrator generated election key, which the election administrator would then decrypt, re-encrypt with the public key generated by the trustee, and sign with the "fake" voter signing keys? At the end of such an election, the trustees would feel that they completed their job, obtained and proved the correct outcome that is announced everywhere, except that the election administrator played man-in-the-middle and broke the confidentiality of all the votes.

I wonder if there is a need that, at some points, the trustees actually go out of their air-gapped network and check the public version of the bulletin board and the published version of the election manifest in order to make sure that what they are seeing there is consistent with what they are doing in their air-gapped network.

Concretely, taking the example of the diagram on page 9 (but the same would apply to the diagrams on pages 14 and 15), would it make sense to make the trustees also appear in the Internet area next to the verifier, and to mandate them to perform consistency checks between their view in their role of trustees and the view they are getting from the bulletin board?

[dmzimmerman]

What would then prevent a malicious election administrator from running a full trustee key generation ceremony alone, with one set of trustee signing keys that he generated himself and placed in the public election manifest, while the actual trustees live in a different world, in which the election administrator shows a different election manifest containing the "real" trustee public keys (on which they will all agree) and in which the trustees generate an election key that will never make its way to the voting application and bulletin board.

Our intent, which is probably not as clear as it should be in the threat model and other documentation (it should be clearer in the revised documentation, though perhaps it still needs more emphasis), is that all the messages, cryptographic proofs, etc. generated by the trustees both before the election (public key generation, etc.) and after (mixing, decryption) should be posted publicly, either directly on the public bulletin board or elsewhere. Assuming that happens, that information can be reconciled against the public bulletin board keys, ballots, etc. (preventing the "world of their own" problem) and the trustees can verify that it is posted accurately (because they keep the trustee-generated information on their storage devices when they leave the air gap).