If the information in the vote is incorrect, the challenge reveals it. Do you have a specific example of information which must be published by the machine which is impossible to check statistically?

Assuming all the published information can be checked, you're extremely limited in how the machine can misbehave. It could log votes, but that's true of any voting system [ie. hidden camera in the ceiling].

I'm not really sure how to deal with the statistical coercion, because the number of possible strategies is so broad. How are they secretly communicating whether or not to challenge the vote? How does the enemy link challenged votes to the voter [just because the vote contains unique information doesn't mean it must identify the voter]?

The identifying information is encrypted until the voter challenges the vote. Only the machine holds the key. You can't prove that someone voted for a particular candidate, only that they voted. [Note: The fact that someone voted is impossible information to hide, because it is required to stop people from voting multiple times.]

Worst case scenario is the machine maliciously revealing the key. Actually, the worst case scenario is the machine silently recording the vote [which is not stoppable with a better communication protocol, of course]. It might make sense for a supervising machine to hash and salt the voter id so the individual voting machines don't know who is casting the vote.

You're assuming the vote doesn't contain identifying information. For example the booth could display a value which incremented each time a vote was completed, and which the machine must include in the vote cast. You could also use the time or a hash of the voter's identity. The voter can verify a vote with the correct ID was cast from the machine by challenging the vote, and the poll workers and other machines can verify that the vote ID is behaving correctly.

Where is the new avenue of attack?

I actually do agree that voting from home is a stupid idea. A PC is not a secure environment, with the obvious threat being botnets.

(Reply to other post):
You don't perform the verification with the same machine. That would be a pointless waste of time. Part of the definition of casting a ballot is publishing it (presumably accessible on the internet, obviously encrypted). You then use your PDA or whatever to check that the ballot has in fact been cast, THEN either verify or commit to it.

So an attacker can no longer silently change votes by compromising just a single voting machine.

The error is more like 1/sqrt(N), not 1/N^2.

It would be nice if twice as many people was four times as accurate instead of the other way around, though.

Lack of imagination.

For example, consider a commit-or-verify scheme. After you cast a ballot you can either commit the ballot or verify that it was recorded correctly and repeat the process.

Check out VoteBox:
http://www.usenix.org/events/sec08/tech/full_papers/sandler/sandler_html/index.html

Everyone seems to be ignoring the fact that uninstallable extensions shouldn't even be allowed by firefox. I remember installing SiteAdvisor, then it was bought by McAfee and they set the "screw you no uninstalls" bit. Not appropriate at all.

If it can't be uninstalled, then it shouldn't be an extension.

Excellent post. Well written, insightful, and even a bit funny.

A 1% pregnancy rate over two and a half years actually sounds very effective. I don't know the rates for other protection methods, or even unprotected, but I know they're not as good as 99% (in practice) over 2.5 years.

But 1/3 of the sample dropping out is not very promising. Side effects? Cherry picking? Guess we'll find out later.