Transcript Prêt à Voter Practical, Voter-verifiable Elections Peter Y A Ryan University of Newcastle upon Tyne Cambridge 15 November 2005 P Y A Ryan Prêt à Voter.

Prêt à Voter
Practical, Voter-verifiable Elections
Peter Y A Ryan
University of Newcastle upon
Tyne
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
1
Outline
•
•
•
•
•
The problem.
Voter-verifiability.
Outline of Prêt à Voter “Classic”
Prêt à Voter with re-encryption mixes
Vulnerabilities and counter-measures
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
2
The Problem
• From the start it was recognised that people
would be tempted to try to corrupt the outcome
of democratic processes.
• The Ancient Greeks experimented with primitive
technological solutions to try to shift the trust
from people to mechanical devices.
• In the US they have been using technological
devices for voting for over a century: level
machines since 1887 (or thereabouts), due to
high levels of fraud with paper ballots. Edison
patented an electronic voting device around that
time.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
3
“The Computer Ate my Vote”
• In this year’s presidential election, ~30%
of the electorate were using DRE, touch
screen devices.
• Aside from the “thank you for your vote for
Kerry, have a nice day” what assurance do
they have that their vote will be accurately
counted?
• What do you do if the vote recording and
counting process is called into question?
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
4
The Mercuri Method
• Rebecca Mercuri and others have been
advocating having DRE machines generate a
paper audit trail.
• Voters get to see the paper record under glass
and if they confirm it gets dropped in a ballot
box.
• A.k.a. Voter Verifiable Paper Audit Trails: VVPAT
• This seems to help but has problems of its own.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
5
Remote vs Supervised
• We need to draw a clear distinction
between supervised and remote voting.
• In the former the voter casts their vote in
enforced isolation, e.g., in a booth in a
polling station.
• Remote voting, e.g., internet, such
isolation cannot be enforced.
• Hence dangers of coercion.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
8
Hazards of e-voting!
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
9
Assumptions
• For the purposes of the case study we will make
many sweeping assumptions, e.g.,:
– An accurate electoral register is maintained.
– Mechanisms are in place to ensure that voters can be
properly authenticated.
– Mechanisms are in place to prevent double voting.
– Existence of a secure Web Bulletin Board.
– Etc.
• Note: Prêt à Voter “Classic” is supervised rather
than remote.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
10
Voter-verifiability in a nutshell
• Voters are provided with an encrypted “receipt” and are
able to verify the decryption in the booth.
• Copies of the receipts are posted to a secure web
bulletin board. Voters can verify that their (encrypted)
receipt is correctly posted.
• Tellers perform a robust anonymising mix on the batch of
posted receipts, revealing the decrypted votes at the
end.
• Checks are performed at each stage to detect any
attempt to decouple the encryption on the receipt from
the decryption performed by the tellers.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
11
Prêt à Voter
• Uses pre-prepared ballot forms that encode the
vote in familiar form (an  against the chosen
candidate).
• The candidate list is (independently) randomised
for each ballot form.
• Information allowing the candidate list to be
reconstructed is buried cryptographically in an
“onion” on each ballot form.
• An excess number of forms are generated to
allow for random auditing, before, during and
after the election.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
12
Example (single candidate choice)
• Each ballot form has a unique, secret, random
seed s
• For each form, a permutation of the candidate
list is computed as a publicly known function of
this seed.
• The seed information is buried cryptographically
using public keys of a number of tellers in an
“onion” printed on the form.
• The seed can only be extracted by the collective
actions of tellers, or suitable subset if a threshold
scheme is used.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
13
Typical Ballot Sheet
Epicurus
Democritus
Aristotle
Socrates
Plato
$rJ9*mn4R&8
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
14
Voter marks their choice
Epicurus
Democritus

Aristotle
Socrates
Plato
$rJ9*mn4R&8
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
15
Voter’s Ballot Receipt

$rJ9*mn4R&8
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
16
Voter casts her vote
• Once the voter has made their choice, the LH strip is
detached and discarded.
• RH strip constitutes the receipt which is fed into a device
that reads the information on the right hand strip.
• Note: the device does not learn the voter’s choice.
• The device will transmit a digital copy of the receipt to a
central server, as a pair (r, Onion), for posting to the web
bulletin board.
• The original RH strip is returned to Anne (digitally signed
and franked).
• Here r (Zv ) is the index value that encodes the position
of the .
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
17
Remarks
• Note that the receipt reveals nothing about the vote.
• The onion carries the crypto seed, encrypted with the
teller’s public keys, that (a subset of) the tellers use to
reconstruct the permutation of the candidate list.
• Without all of these secret keys (or an appropriate
subset) the candidate list cannot be reconstructed and
hence the vote value cannot be recovered.
• Vote is not directly encrypted, rather the frame of
reference, i.e., the candidate list, is randomised and
information defining the frame is encrypted.
• A VVPAT style mechanism can be incorporated.
• Works for ranked, STV etc.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
18
Anonymisation and tabulation
• Once the election has closed and all receipts
have been posted to the WBB, a set of tellers
perform a robust anonymising mix on the
receipts:
– Receipts are decrypted by stages and undergo
multiple secret shuffles. Intermediate stages are also
posted to the WBB for audit.
– Tellers transform the “r” index value. The final “r”
values that emerge from the mix give the raw vote
value in the canonical basis.
– Any link between the original receipts and the
decrypted values will be lost.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
19
Seeds and offsets
• Suppose that we have k tellers. Each teller
has two public key pairs. For each ballot
form 2k random germs are generated:
gi,ZN (some modest size N, e.g., 232)
• The seed value is taken to be the
sequence of these germ g values:
Seed:= g0, g1, g2v, g3, …..... , g2k-1
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
20
Onion construction
• The germs are buried in the 2k layers of the
onion:
• D0 is a random value, unique to each ballot form.
Then:
Di+1 := {gi ,Di,}PKTi, , i= 0,…., 2k-1
Onion := D2k
• Thus:
Onion := {g2k-1 ,{g2k-1 ,{…..,{g2,{g1,{g0, D0 }PKT_0 }PKT_1
}PKT_2…..}PKT_2k-2 }PKT_2k-2 }PKT_2k-1
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
21
Candidate permutations
• These germs are used as keys for a random
permutation function for each teller mix:
i := f(gi), i=0 through 2k-1
• The candidate list permutation  is computed as
the product of the 2k permutations computed
above applied to the basis ordering 0 to give
the candidate order  shown on the ballot form:
 :=  i=02k-1 i○0
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
22
Basis ordering 0
• We assume some canonical, basis ordering 0 from
which all the permuted orderings on the ballot forms are
derived by applications of the permutation functions
derived from the hidden seed values:
• 0 :=
Aristotle
Democritus
Epicurus
Plato
Socrates
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
23
Teller transformations
• Transformations on the ballot pairs:
• On each ballot pair (ri, Di), the teller performs the transformation:
• Recall:
• And:
(ri, Di)  (ri-1, Di-1)
{Di}SKTi-1 = gi-1 ,Di-1
ri-1= f(gi-1) -1 (ri)
• Thus, one layer of onion is striped off and the revealed germ is used
to compute the inverse of the ith permutation, which is applied to the
index value.
• The final pair, (r0, D0) comprises the index value that represents the
vote value in the basis ordering 0 along with the inner onion value.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
24
Batch 1
Batch 2
Teller 1
Cambridge
15 November 2005
Batch 3
Teller 1'
P Y A Ryan
Prêt à Voter
25
What can go wrong…
• For the accuracy requirement:
– Ballot forms may be incorrectly constructed, leading
to incorrect decryption of the vote.
– Ballot receipts could be corrupted before they are
entered in the tabulation process.
– Tellers may perform the decryption incorrectly.
• We now discuss the counter-measures to these
threats.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
26
Checking the ballot forms
• We need to check that the seed buried in the
onion does correspond to the candidate
permutation shown on the ballot form.
• Checks can be performed by auditors and the
voters to catch such corruption:
– Random audits of ballot forms performed before,
during and after the election period by the Electoral
Reform Soc etc.
– Voters could also be invited to perform similar checks
on randomly selected “dummy” forms. For example,
voters could be invited to randomly select a pair of
forms, one to check, one to cast their vote.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
27
Auditing ballot forms
• To check the construction of the ballot forms the values
on the form, onion and candidate ordering, can be
reconstructed if the seed value is revealed.
• One of the innovations of Prêt à Voter is to use the
tellers in an on-demand mode to reveal the secret seed
value buried in the onion. Avoids problems with storing
and selectively revealing seeds.
• Note, for this checking process, the tellers are used in an
on-demand basis before and during the election-quite
different to the batch mode for the anonymising mix after
the election has closed.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
28
Ballot form checking modes
•
In fact, this oracle teller mode suggests several ways
for voters to check the well-formedness of ballot forms:
1. Simple, single dummy vote
2. Multiple or ranked dummy vote
3. Given the onion value, the tellers return the candidate ordering
•
•
Note: vulnerable to authority/tellers collusion attacks.
The auditor checks are the more rigorous: not
vulnerable to authority/teller collusions.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
29
Recording and transmission
• To check that receipts are accurately
recorded and input into the mix:
– Voters can visit the WBB and check that their
receipt appears correctly recorded.
– Voter checks can be supplemented by
independent audit authorities checking the
WBB against the VVPAT style record of ballot
receipts.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
30
Auditing the tellers
• Partial Random Checking of the teller transformations:
auditor randomly selects half the of the links to be
revealed and checked, but in such a way as not to reveal
any links across the two transformations performed by
the teller.
• Go down middle WBB column for each teller and
randomly assign ► or ◄ to each pair.
• For a ►(◄), the tellers reveal the outgoing (incoming)
link along with the associated re-encryption
randomisation values.
• Note: because no complete paths across a given teller’s
pair of mixes are revealed by the audit process, we can
audit the tellers independently.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
31
Auditing the tellers
Cambridge
15 November 2005
TellerP Y1A Ryan
Prêt à Voter
Teller 1'
32
Advantages of Prêt à Voter
• Voter experience simple and familiar.
• No need for voters to have personal keys or computing
devices.
• Ballot form commitments and checks made before
election opens  neater recovery strategies.
• The vote recording device doesn’t get to learn the vote.
• Votes are not directly encrypted, just the frame of
reference.
• Highly flexible.
• Works nicely for alternative voting systems, SVT,
approval, ranked etc.
• Adaptable to remote voting (see Clarkson et al).
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
33
Enhancements
• Re-encryption mixes
• Distributed generation of ballot forms.
• Concealment of onion/candidate list
associations.
• Separation of teller modes.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
34
Re-encryption mixes
• Prêt à Voter “Classic” uses Chaumian (decryption) mixes.
• Alternatives:
– re-encryption mixes.
– Homomorphism schemes etc.
• Advantages of re-encryption:
– Tellers inject fresh entropy at each stage, hence onion size doesn’t grow
with number of tellers and germ size.
– Less dependence on availability of tellers: a faulty mix teller can just be
binned and replaced.
– Full mixing over the El Gamal group.
– Clean separation of mixing and decryption stages.
– Mixes and audits can be rerun afresh.
• Downsides:
– Need shuffle commitments.
– Tricky to mesh with Prêt à Voter’s special encoding of votes.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
35
Re-encryption mixes
•
Prêt à Voter’s rather special representation of the vote
in the receipts makes it tricky to mesh with reencryption mixes. Some possible approaches:
1.
2.
3.
4.
5.
6.
Leave r, index terms unchanged through the mixes.
Follow re-encryption mixes with Chaumian decryption mixes.
Absorb the r into the onion value.
transform both r and D terms leaving vote value invariant
Add teller transforms to the index values, storing the entropy in
an extra (pre-generated and audited) “onion” value.
Use zero-knowledge/crypto-homomorphism approaches.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
36
Discussion
• Option 1: allows the adversary to partition the mix
according the index value, but might be okay where the
number of voters vastly exceeds the number of ballot
options.
• Option 2: again the re-encryption mix can be partitioned.
Might be a reasonable compromise.
• Options 3 and 4: seems to work nicely but appears to
necessitate malleable encryption for the terms that move
through the mix.
• Option 5: works but looses conceptual simplicity (e.g.,
need to mix by value and by position separately)
• Option 6: promising, but seems to loose the conceptual
simplicity of the PRC approach, and perhaps the linear
scaling properties.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
37
El Gamal encryption
• El Gamal encryption:
• let  be a generator of cyclic group Zp*, p a large prime.
Choose k (2kp-2) and let  = k (mod p).
• p,  and  made public, k kept secret.
• (Randomised encryption) of m in {0, …, p-1}:
(x, x.m) =: (y1, y2)
• Re-encryption:
(x+y, x+y.m)
• Note: same as directly encrypting m with randomisation
x+y.
• Decryption:
m = y2 /y1k
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
38
Re-encryption mixes
• Work in a similar way to decryption mixes described
earlier:
• Each mix teller takes in a batch of receipts encrypted
with El-Gamal. For each it performs a re-encryption,
choosing a different re-randomisation for each.
• It posts the resulting re-encrypted, shuffled ballots to the
next column of the WBB.
• Mixes are followed by a (threshold) decryption stage.
• Afterwards, PRC can be performed in a similar way to
that described earlier.
• Chaum-Pederson style ZK proofs of shuffles also seem
possible with ElGamal “onions”.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
39
Option 3
• For simplicity we will assume just random cyclic shifts of
the candidate list.
• Let s be the candidate list offset. Encrypt -s in the El
Gamal pair to form the onion.
(x, x. -s) =: (y1, y2)
• A receipt pair can be transformed to:
(r, x, x. -s)  (x, x. r-s)
• This can be put through a conventional re-encryption mix
and the final decryption yields the vote value directly.
• Need slight elaboration for full permutations.
• Note: for STV, ranked etc, we can mix the ballot cells
separately.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
40
Discussion
•
•
•
•
Is the malleability of the onion terms
problematic?
Malleability of terms flowing through the mix
seems not to be a problem from the accuracy
point of view.
From a secrecy point of view, it seems that it
should be possible to perform a reduction style
proof to the DH problem.
Still need to ensure that ballot receipts are nonmalleable. Digital signatures appear to achieve
this.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
41
Prêt à Voter Vulnerabilities
• Chain voting.
• Authority knowledge of ballot form
information.
• Enforcing the destruction of LH strips.
• Separation of teller modes.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
42
Chain Voting
•
Effective against many conventional voting
systems:
1. Coercer smuggles a blank ballot form out of the
polling station and
2. Marks it with their preferred candidate.
3. They intercept a voter entering the polling station,
hand them the marked up form and tell them that if
they emerge from the station with a fresh, unmarked
form they will be rewarded.
4. Return to step 2.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
43
Counter-measures
• In a system like the UK system in which voters are given
a ballot form when they register and are them observed
to cast the form in the ballot box, this can be quite
effective: if the voter emerges with a fresh, blank form it
is a strong indication that they cast the coercer’s marked
form.
• For a conventional system, a possible counter-measure
is to use a system along the lines of the French system:
Ballot forms are not controlled, only their casting.
– Ballot forms are freely available at the polling station.
– Choice made in a booth by inserting ballot of choice in an
envelope.
– Voters register when they cast their vote, in an envelope.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
44
Chain voting and Prêt à Voter
• Particularly virulent with WBB systems. Above counter-measure
fails.
• Note:
– Voters don’t need sight of the onion value in order to make their
selection.
– casting an encrypted ballot can be in the presence of a voting official.
• Hence, possible countermeasures:
– Conceal the onion under a scratch strip.
– Official checks scratch strip is intact at time of casting.
– Also need to check that form used to cast corresponds to the forms
given to the voter when they register.
– Handling ballot forms in sealed envelopes also helps.
– Cryptographic analogues, e.g., crypto commitments to onion values.
– On demand printing of ballot forms-but harder to audit.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
45
Distributed creation of ballots
• In Prêt à Voter Classic, the entities that create and handle the ballot
forms must be trusted to keep onion/candidate lists secret.
• Countermeasures:
– Create pairs on “entangled” onions (same seed). Conceal one under a
scratch card (or cryptographically) and perform a pre-mix on the pairs.
– Have the tellers translate the exposed onions into candidate lists.
– Random audit the resulting forms.
– Cast encrypted receipts in presence of an official and reveal the onion
value at this point.
• Further possibilities:
– “Mirror”, robust pre-mix on entangled onions (run Plaintext Equivalence
Tests (PET) the entangled onion pairs and PRC the mix)
– Just in time candidate lists.
– Just in time onions.
– Multiple entangled onions (independently reveal candidate lists for n-1)
• Plenty of possibilities, some adaptable to remote contexts.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
46
Entangled onions
•
•
•
•
((x, x. s), (y,  y. s))
Where  := k
These pairs are put through a set of reencryption anonymising mixes:
((x, x. s), , (y,  y. s))
Tellers can then decrypt the first onion to give
the candidate permutation
(, (y,  y. s))
At the time of casting a layer of encryption can
be stripped off the onion to give:
(, (y, y. s))
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
47
Destruction of LH strips
• For coercion resistance it is essential that voters not be
able to exit the polling station with the LH strip.
• Countermeasures:
– Procedural: officials oversee destruction of LH strips.
– Mechanical: device that automatically strips off the LH strip and
discards it.
– Decoy strips: plentiful supply of alternative LH strips provided in
the booth.
– Scratch strips: onion under the strip (in 2D bar code?) candidate
list overprinted: revealing the onion destroys the list.
– Disc ballots!? Ballot “forms” take the form of a pair of discs
sealed together. After selection they are separated. Axial
symmetry ensures that the original configuration is lost.
– Quantum!? Ballot “forms” using entangled q-bits. Measurement
to reveal candidate lists collapses the wave functions.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
48
Confusion of tellers modes
• Essential that any onion can be processed at
most once.
– Allow on-demand teller mode only during the preelection phase. Ensure that all audited ballot as
destroyed.
– Procedural/Mechanical: any processed form is
invalidated to prevent reuse.
– Cryptographic, e.g., authentication codes that are
destroyed when the onion is used.
– Just in time candidate lists: revealed only at the time
that the voter makes their selection.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
49
Remote Prêt à Voter
• Naïve step: casting vote by just submitting an
onion and index value.
• More sophisticated, coercion resistant version (à
la Clarkson, Myers): supply voters with a token,
onion and encrypted candidate list.
• Tokens constructed like onions but with “valid”
flag at the centre.
• Coerced voter can corrupt their token. Invalidity
only revealed after the anonymising mixes.
• Designated verifier proofs to convince voters of
the validity of their token.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
50
Chaum’s “Bingo Dauber” scheme
• Presented at FEE 2005.
• Uses pen and paper and Prêt à Voter’s
randomised candidate list (actually two per form,
cf symmetrised proto-Prêt à Voter, WITS 2005 ).
• Used two layers rather than strips and “bingo
dauber” to mark both sheets simultaneously
through holes in upper layer.
• Retains voter cut and choose element.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
51
Future work
• On the current model:
–
–
–
–
–
–
Determine exact requirements.
Formal analysis and proofs.
Construct threat and trust models.
Investigate error handling and recovery strategies.
Develop a full, socio-technical systems analysis.
Develop prototypes and run trials, e.g., e-voting
games!
– Investigate public understanding and trust.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
52
Future work
• Beyond the current scheme:
– Alternative sources of seed entropy: Voters, optical
fibres in the paper,…?
– Protocols for distributed and on-demand generation
and checking of ballot forms, e.g., authenticated
onion establishment.
– (Threshold) schemes to thwart collusion attacks on
checking modes.
– Alternative robust mixes, e.g., ZK shuffle proofs.
– Adaptation to coercion resistant remote voting (e.g.,
Cornell work).
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
53
Acknowledgements
• With thanks to:
–
–
–
–
–
–
–
–
–
–
David Chaum
Michael Clarkson
James Heather
Michael Jackson
Thea Peacock
Brian Randell
Ron Rivest
Steve Schneider
Jeroen van der Graf
and many others….
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
54
References
•
•
•
•
•
•
•
•
•
•
•
•
David Chaum, Secret-Ballot receipts: True Voter-Verifiable Elections, IEEE Security and Privacy
Journal, 2(1): 38-47, Jan/Feb 2004.
J W Bryans & P Y A Ryan “A Dependability Analysis of the Chaum Voting Scheme”, Newcastle
Tech Report CS-TR-809, 2003.
J W Bryans & P Y A Ryan, “Security and Trust in a Voter-verifiable Election Scheme”, FAST 2003.
P Y A Ryan & J W Bryans “A Simplified Version of the Chaum Voting Scheme”, Newcastle TR
2004
P Y A Ryan, Towards a Dependability Case for the Chaum Voting Scheme, DIMACS June 2004.
P Y A Ryan, “E-voting”, presentation to the Caltech/MIT workshop on voting technology, MIT
Boston 1-2 October 2004.
P Y A Ryan, “A Variant of the Chaum Voter-verifiable Election scheme”, WITS, 10-11 January
2005 Long Beach Ca.
D Chaum, P Y A Ryan, S A Schneider, “A Practical, Voter-Verifiable Election Scheme”, Newcastle
TR 880 December 2004, Proceedings ESORICS 2005, LNCS 3679.
B Randell, P Y A Ryan, “Trust and Voting Technology”, NCL CS Tech Report 911, June 2005, to
appear IEEE Security and Privacy Magazine.
P Y A Ryan, T Peacock, “Prêt à Voter, A Systems Perspective”, NCL CS Tech Report 929,
September 2005, submitted to IEEE Security and Privacy Symposium 2006.
Frontiers of Electronic Elections, FEE 2005, http://www.win.tue.nl/~berry/fee2005/
Clarkson and Myers, “Coercion-resistant Remote Voting using Decryption Mixes”, at FEE 2005.
Cambridge
15 November 2005
P Y A Ryan
Prêt à Voter
55