"Rules" and "physical laws" are two powerful, immediate, external influences on our behavior.
At its heart, a rule is little more than a suggestion backed by a threat. A rule's power comes from outside itself, through enforcers who detect and punish violations. Without support, a rule can be freely ignored, or at least "bent" a little.
By contrast, a physical law is a sort of self-enforcing rule. Physical laws are obeyed not because they threaten punishment, but because they're either impossible to violate, or because violation will assuredly cause immediate pain or damage. Drivers run red lights all the time, but nobody hides from gravity.
This essay briefly contemplates the use of cryptography to bring the strength of physical laws to procedural processes, particularly vote counting in public elections.RULES
A rule may say "don't pick the flowers," but it's the threat of arrest that keeps tulips blooming in the Boston Public Garden. Laws written by Congress are rules, too. So are no-smoking policies, vehicle stopping points marked by red octagons, and "no glass containers" policies at ballparks.
Rules must be advertised so their subjects know about them. Rulemakers anticipate voluntary cooperation from most subjects, and contrive penalties to coerce cooperation from those who wouldn't otherwise play along.
Maintaining rules is a lot of work. A rulemaker must have the authority to create the rule (the assistance of others is usually essential), the wherewithal to advertise the rule wherever and whenever it's in effect, resources to monitor compliance, and the ability to impose punishment - a fine, jail time, firing, ejection from Disneyland - on violators.
Physical laws are obeyed either because they're impossible to break without assistance, or because an attempt to break them automatically brings injury, expense or discomfort to the lawbreaker. Gravity and the other laws of nature are physical laws, of course, but some human creations, at least in ordinary circumstances, also take on properties of physical laws.
For example, highway cloverleafs coerce cars into following prescribed routes in, around and back out. No driver takes a shortcut through a cloverleaf without suffering damage. Twenty-foot razorwire fences can't be climbed without injury. Speed bumps are inert mounds of asphalt, but they control the speed of vehicles that pass over them.
Comparing physical laws to rules, we find that the presence of a physical law is understood by all; they are inherently difficult or impossible to overcome; monitoring is passive and continuous; and enforcement happens automatically.
A picket fence is a rule; a twenty-foot razor wire fence is more like a physical law. Speed limits are rules; speed bumps and cloverleafs are physical laws.
THE POINT: CRYPTOGRAPHY CAN GIVE RULES THE POWER OF PHYSICAL LAWS
The process of election tabulation can be understood as a collection of rules. Because every polling station, ballot, poll worker and voting machine can't be watched continuously on election day, surveillance is inefficient, violations aren't always detected, and elections are left vulnerable to mistakes and frauds.
Physical laws offer desirable features for security-centric processes: they don't need continuous outside monitoring; compliance is high because any attempt to cheat is resisted and exposed automatically; they can't be "defeated" by cleverness or stealth.
If they could assume some of the properties of physical laws, loosely monitored processes such as vote counting could achieve a level of integrity that would otherwise be unattainable.
How can cryptography can bring some of those qualities to the hard-to-monitor, rule-driven process of a public election?
We use things to protect other things all the time: a gym locker secured with a padlock, and a computer system protected by a password, are two examples. In fact, padlocks and passwords fail in quite similar ways. If the padlock can be opened, by destroying it if necessary, your wallet and keys are history. If ordinary security on a computer can be broken by disabling it or by going around it - and there are plenty of ways to do that - the stuff the password was supposed to protect can be taken or altered without leaving any clues.
A good cryptographic system doesn't fail like that. Even if the system is destroyed (physically or metaphorically), the secrets are safe. There simply isn't an end-run. Unlike padlocks and passwords, cryptographic systems protect both their contents and themselves.
The intrinsic resistance of cryptosystems to end-runs and full-on attacks is the root of their ability to act in the virtual world as physical laws do in the real world. Cryptographically-equipped processes, if built properly (very important) cannot be overcome by cunning or effort. Cryptosystems can't be coerced. Their protected data can't be altered. Attempts to defeat them only cause trouble for the attacker, and if not undone, reveal that tampering occurred.
A well designed voting system built around cryptography would automatically repel efforts to break it, no matter where in the process the attack occurred, without continuous monitoring or security at every step, even if nobody saw the attack in progress. Gravity, cloverleafs and the trustworthiness of future elections all work, or work best, if built atop physical laws or faithful adaptations of those laws.
The Voting Transparency Project concerns itself with the entire process of running an election, placing a strong but not exclusive focus on vote-counting. In the next entry I'll write more about new work by Ben Adida at MIT, who is exploring the theoretical underpinnings of voting systems that could be secured from end to end, absolutely, with the help of a cryptosystem, rather than haphazardly with conventional surveillance.