Replies

A Z80 processor? Didn’t TRS-80s have those in the late 1970s?

The Z80 is a perfectly fine choice, actually. What's wrong with it?

IMHO, for a machine to be considered trustworthy it must be possible to confirm that the machine is running the official firmware and nothing else. Were I constructing a voting machine, it have no on-board non-volatile storage of any form other than a non-writable real-time clock chip, and would accept two cartridges:

A ROM cartridge (EPROM, EEPROM, or flash, but physically write-protected) containing all firmware and ballot configuration data.
A EEPROM cartridge which would store cast ballot data. This cartridge would contain a physical write-protect mechanism as well, but would be write-enabled when installed in the voting machine.

A hardware interlock would prelude code execution from any address outside the ROM cartridge, which would be write-protected while it was inserted into the machine. A physical mechanism would allow two or more padlocks to be installed on the machine such that all of the cartridges would be visible but could be removed or otherwise handled until all of the padlocks were removed. A mechanical switch would report to the CPU whether the mechanism was locked or unlocked. Each party would supply its own padlocks.

Cartridges would be constructed with a visible write-protect switch whose state could only be changed by opening a panel. Both parties would supply their own seals for this panel. The cartridges could be read via simple USB-connected reader (could be profitably produced in quantity 1,000 for less than $50 each).

Protocol: firmware and cast-ballot cartridges should be set up before the election by the state election officials. All cartridges should have their write-protect switches set to "protect".

To start with, the firmware cartridge should be sealed by both parties. An election judge from each party should read out the contents of both cartridges and confirm that they precisely match the official standard image. All parties should watch all cartridge handling closely to ensure that the write-protect switch on the ballot cartridge is not moved. If someone thinks the ballot write-protect switch may have been moved by the other party, that person should re-read the cartridge to ensure that it has not been altered.

Once everyone is satisfied that the cartridges contain precisely what they should, they should be installed in the machine and the cover closed, but the switch to the processor left in the "unlocked" position. The firmware would then start up, prompt for the correct time, and store on the ballot cartridge the difference between the hardware clock time and the entered time. It would also display the status of the ballot cartridge which should be confirmed at that point as containing zero votes.

Once that is done, the switch would be moved to the "locked" position and padlocks would be installed. The system would then be ready for operation.

Once voting is complete, the padlocks would be removed and the switch set to the "unlocked" position. This would allow the totals to be read out from the machine. Next, the machine would be opened and the ballot cartridge write-protected and sealed. After that was done, both parties would read out both cartridges again. They would then compare SHA hash values for the two cartridges, exchange digital signatures, and a representative from each party would be video-recorded writing both the hash value and vote tallies on a chalkboard (the latter would be a protection against a party releasing its own private key and then accusing the other party of using that key to fake the records).

If units and cartridges were constructed in such a fashion as to facilitate X-rays of the chips involved, what room would there be for fraud?