Pret a Voter

Document Sample
Pret a Voter Powered By Docstoc
					                     Prêt à Voter
     Practical, Voter-verifiable Elections

                       Peter Y A Ryan
                   University of Newcastle upon

Cambridge                    P Y A Ryan           1
15 November 2005             Prêt à Voter
•   The problem.
•   Voter-verifiability.
•   Outline of Prêt à Voter “Classic”
•   Prêt à Voter with re-encryption mixes
•   Vulnerabilities and counter-measures

Cambridge            P Y A Ryan             2
15 November 2005     Prêt à Voter
                   The Problem
• From the start it was recognised that people
  would be tempted to try to corrupt the outcome
  of democratic processes.
• The Ancient Greeks experimented with primitive
  technological solutions to try to shift the trust
  from people to mechanical devices.
• In the US they have been using technological
  devices for voting for over a century: level
  machines since 1887 (or thereabouts), due to
  high levels of fraud with paper ballots. Edison
  patented an electronic voting device around that
Cambridge             P Y A Ryan                  3
15 November 2005      Prêt à Voter
    “The Computer Ate my Vote”
• In this year’s presidential election, ~30%
  of the electorate were using DRE, touch
  screen devices.
• Aside from the “thank you for your vote for
  Kerry, have a nice day” what assurance do
  they have that their vote will be accurately
• What do you do if the vote recording and
  counting process is called into question?
Cambridge           P Y A Ryan               4
15 November 2005    Prêt à Voter
                   The Mercuri Method
• Rebecca Mercuri and others have been
  advocating having DRE machines generate a
  paper audit trail.
• Voters get to see the paper record under glass
  and if they confirm it gets dropped in a ballot
• A.k.a. Voter Verifiable Paper Audit Trails:
• This seems to help but has problems of its own.

Cambridge                 P Y A Ryan                5
15 November 2005          Prêt à Voter
            Remote vs Supervised
• We need to draw a clear distinction
  between supervised and remote voting.
• In the former the voter casts their vote in
  enforced isolation, e.g., in a booth in a
  polling station.
• Remote voting, e.g., internet, such
  isolation cannot be enforced.
• Hence dangers of coercion.
Cambridge            P Y A Ryan                 8
15 November 2005     Prêt à Voter
                   Hazards of e-voting!

Cambridge                P Y A Ryan       9
15 November 2005         Prêt à Voter
• For the purposes of the case study we will make
  many sweeping assumptions, e.g.,:
    – An accurate electoral register is maintained.
    – Mechanisms are in place to ensure that voters can be
      properly authenticated.
    – Mechanisms are in place to prevent double voting.
    – Existence of a secure Web Bulletin Board.
    – Etc.
• Note: Prêt à Voter “Classic” is supervised rather
  than remote.
Cambridge                 P Y A Ryan                    10
15 November 2005          Prêt à Voter
    Voter-verifiability in a nutshell
• Voters are provided with an encrypted “receipt” and are
  able to verify the decryption in the booth.
• Copies of the receipts are posted to a secure web
  bulletin board. Voters can verify that their (encrypted)
  receipt is correctly posted.
• Tellers perform a robust anonymising mix on the batch of
  posted receipts, revealing the decrypted votes at the
• Checks are performed at each stage to detect any
  attempt to decouple the encryption on the receipt from
  the decryption performed by the tellers.

Cambridge                P Y A Ryan                     11
15 November 2005         Prêt à Voter
                   Prêt à Voter
• Uses pre-prepared ballot forms that encode the
  vote in familiar form (an  against the chosen
• The candidate list is (independently) randomised
  for each ballot form.
• Information allowing the candidate list to be
  reconstructed is buried cryptographically in an
  “onion” on each ballot form.
• An excess number of forms are generated to
  allow for random auditing, before, during and
  after the election.

Cambridge              P Y A Ryan               12
15 November 2005       Prêt à Voter
 Example (single candidate choice)
• Each ballot form has a unique, secret, random
  seed s
• For each form, a permutation of the candidate
  list is computed as a publicly known function of
  this seed.
• The seed information is buried cryptographically
  using public keys of a number of tellers in an
  “onion” printed on the form.
• The seed can only be extracted by the collective
  actions of tellers, or suitable subset if a threshold
  scheme is used.

Cambridge               P Y A Ryan                   13
15 November 2005        Prêt à Voter
                   Typical Ballot Sheet






Cambridge                       P Y A Ryan             14
15 November 2005                Prêt à Voter
          Voter marks their choice





Cambridge                       P Y A Ryan             15
15 November 2005                Prêt à Voter
              Voter’s Ballot Receipt



Cambridge                        P Y A Ryan     16
15 November 2005                 Prêt à Voter
                   Voter casts her vote
• Once the voter has made their choice, the LH strip is
  detached and discarded.
• RH strip constitutes the receipt which is fed into a device
  that reads the information on the right hand strip.
• Note: the device does not learn the voter’s choice.
• The device will transmit a digital copy of the receipt to a
  central server, as a pair (r, Onion), for posting to the web
  bulletin board.
• The original RH strip is returned to Anne (digitally signed
  and franked).
• Here r (Zv ) is the index value that encodes the position
  of the .
Cambridge                  P Y A Ryan                      17
15 November 2005           Prêt à Voter
• Note that the receipt reveals nothing about the vote.
• The onion carries the crypto seed, encrypted with the
  teller’s public keys, that (a subset of) the tellers use to
  reconstruct the permutation of the candidate list.
• Without all of these secret keys (or an appropriate
  subset) the candidate list cannot be reconstructed and
  hence the vote value cannot be recovered.
• Vote is not directly encrypted, rather the frame of
  reference, i.e., the candidate list, is randomised and
  information defining the frame is encrypted.
• A VVPAT style mechanism can be incorporated.
• Works for ranked, STV etc.
Cambridge                   P Y A Ryan                          18
15 November 2005            Prêt à Voter
   Anonymisation and tabulation
• Once the election has closed and all receipts
  have been posted to the WBB, a set of tellers
  perform a robust anonymising mix on the
    – Receipts are decrypted by stages and undergo
      multiple secret shuffles. Intermediate stages are also
      posted to the WBB for audit.
    – Tellers transform the “r” index value. The final “r”
      values that emerge from the mix give the raw vote
      value in the canonical basis.
    – Any link between the original receipts and the
      decrypted values will be lost.
Cambridge                  P Y A Ryan                      19
15 November 2005           Prêt à Voter
                   Seeds and offsets
• Suppose that we have k tellers. Each teller
  has two public key pairs. For each ballot
  form 2k random germs are generated:
    gi,ZN (some modest size N, e.g., 232)
• The seed value is taken to be the
  sequence of these germ g values:
       Seed:= g0, g1, g2v, g3, …..... , g2k-1

Cambridge                P Y A Ryan        20
15 November 2005         Prêt à Voter
                   Onion construction

• The germs are buried in the 2k layers of the
• D0 is a random value, unique to each ballot form.
           Di+1 := {gi ,Di,}PKTi, , i= 0,…., 2k-1
                       Onion := D2k
• Thus:
     Onion := {g2k-1 ,{g2k-1 ,{…..,{g2,{g1,{g0, D0 }PKT_0 }PKT_1
                }PKT_2…..}PKT_2k-2 }PKT_2k-2 }PKT_2k-1

Cambridge                     P Y A Ryan                           21
15 November 2005              Prêt à Voter
           Candidate permutations
• These germs are used as keys for a random
  permutation function for each teller mix:
            i := f(gi), i=0 through 2k-1
• The candidate list permutation  is computed as
  the product of the 2k permutations computed
  above applied to the basis ordering 0 to give
  the candidate order  shown on the ballot form:
                  :=  i=02k-1 i○0

Cambridge             P Y A Ryan                22
15 November 2005      Prêt à Voter
                   Basis ordering 0
• We assume some canonical, basis ordering 0 from
  which all the permuted orderings on the ballot forms are
  derived by applications of the permutation functions
  derived from the hidden seed values:
• 0 :=

Cambridge                 P Y A Ryan                     23
15 November 2005          Prêt à Voter
             Teller transformations
• Transformations on the ballot pairs:
• On each ballot pair (ri, Di), the teller performs the transformation:

                            (ri, Di)  (ri-1, Di-1)
• Recall:
                            {Di}SKTi-1 = gi-1 ,Di-1
• And:
                              ri-1= f(gi-1) -1 (ri)

• Thus, one layer of onion is striped off and the revealed germ is used
  to compute the inverse of the ith permutation, which is applied to the
  index value.
• The final pair, (r0, D0) comprises the index value that represents the
  vote value in the basis ordering 0 along with the inner onion value.

Cambridge                         P Y A Ryan                              24
15 November 2005                  Prêt à Voter
             Batch 1              Batch 2                    Batch 3

                       Teller 1                  Teller 1'
Cambridge                         P Y A Ryan                           25
15 November 2005                  Prêt à Voter
              What can go wrong…
• For the accuracy requirement:

    – Ballot forms may be incorrectly constructed, leading
      to incorrect decryption of the vote.
    – Ballot receipts could be corrupted before they are
      entered in the tabulation process.
    – Tellers may perform the decryption incorrectly.

• We now discuss the counter-measures to these
Cambridge                  P Y A Ryan                        26
15 November 2005           Prêt à Voter
         Checking the ballot forms
• We need to check that the seed buried in the
  onion does correspond to the candidate
  permutation shown on the ballot form.
• Checks can be performed by auditors and the
  voters to catch such corruption:
    – Random audits of ballot forms performed before,
      during and after the election period by the Electoral
      Reform Soc etc.
    – Voters could also be invited to perform similar checks
      on randomly selected “dummy” forms. For example,
      voters could be invited to randomly select a pair of
      forms, one to check, one to cast their vote.

Cambridge                  P Y A Ryan                     27
15 November 2005           Prêt à Voter
               Auditing ballot forms
• To check the construction of the ballot forms the values
  on the form, onion and candidate ordering, can be
  reconstructed if the seed value is revealed.
• One of the innovations of Prêt à Voter is to use the
  tellers in an on-demand mode to reveal the secret seed
  value buried in the onion. Avoids problems with storing
  and selectively revealing seeds.
• Note, for this checking process, the tellers are used in an
  on-demand basis before and during the election-quite
  different to the batch mode for the anonymising mix after
  the election has closed.

Cambridge                  P Y A Ryan                      28
15 November 2005           Prêt à Voter
      Ballot form checking modes
•    In fact, this oracle teller mode suggests several ways
     for voters to check the well-formedness of ballot forms:

    1. Simple, single dummy vote
    2. Multiple or ranked dummy vote
    3. Given the onion value, the tellers return the candidate ordering

•    Note: vulnerable to authority/tellers collusion attacks.
•    The auditor checks are the more rigorous: not
     vulnerable to authority/teller collusions.

Cambridge                      P Y A Ryan                            29
15 November 2005               Prêt à Voter
     Recording and transmission
• To check that receipts are accurately
  recorded and input into the mix:
    – Voters can visit the WBB and check that their
      receipt appears correctly recorded.
    – Voter checks can be supplemented by
      independent audit authorities checking the
      WBB against the VVPAT style record of ballot

Cambridge              P Y A Ryan                30
15 November 2005       Prêt à Voter
                   Auditing the tellers
• Partial Random Checking of the teller transformations:
  auditor randomly selects half the of the links to be
  revealed and checked, but in such a way as not to reveal
  any links across the two transformations performed by
  the teller.
• Go down middle WBB column for each teller and
  randomly assign ► or ◄ to each pair.
• For a ►(◄), the tellers reveal the outgoing (incoming)
  link along with the associated re-encryption
  randomisation values.
• Note: because no complete paths across a given teller’s
  pair of mixes are revealed by the audit process, we can
  audit the tellers independently.

Cambridge                 P Y A Ryan                    31
15 November 2005          Prêt à Voter
                   Auditing the tellers

                       Teller Y A Ryan
                                           Teller 1'
15 November 2005            Prêt à Voter
     Advantages of Prêt à Voter
• Voter experience simple and familiar.
• No need for voters to have personal keys or computing
• Ballot form commitments and checks made before
  election opens  neater recovery strategies.
• The vote recording device doesn’t get to learn the vote.
• Votes are not directly encrypted, just the frame of
• Highly flexible.
• Works nicely for alternative voting systems, SVT,
  approval, ranked etc.
• Adaptable to remote voting (see Clarkson et al).

Cambridge                 P Y A Ryan                     33
15 November 2005          Prêt à Voter
• Re-encryption mixes
• Distributed generation of ballot forms.
• Concealment of onion/candidate list
• Separation of teller modes.

Cambridge              P Y A Ryan           34
15 November 2005       Prêt à Voter
               Re-encryption mixes
• Prêt à Voter “Classic” uses Chaumian (decryption) mixes.
• Alternatives:
    – re-encryption mixes.
    – Homomorphism schemes etc.
• Advantages of re-encryption:
    – Tellers inject fresh entropy at each stage, hence onion size doesn’t
      grow with number of tellers and germ size.
    – Less dependence on availability of tellers: a faulty mix teller can just be
      binned and replaced.
    – Full mixing over the El Gamal group.
    – Clean separation of mixing and decryption stages.
    – Mixes and audits can be rerun afresh.
• Downsides:
    – Need shuffle commitments.
    – Tricky to mesh with Prêt à Voter’s special encoding of votes.

Cambridge                          P Y A Ryan                                  35
15 November 2005                   Prêt à Voter
                   Re-encryption mixes
•     Prêt à Voter’s rather special representation of the vote
      in the receipts makes it tricky to mesh with re-
      encryption mixes. Some possible approaches:
    1.    Leave r, index terms unchanged through the mixes.
    2.    Follow re-encryption mixes with Chaumian decryption mixes.
    3.    Absorb the r into the onion value.
    4.    transform both r and D terms leaving vote value invariant
    5.    Add teller transforms to the index values, storing the entropy in
          an extra (pre-generated and audited) “onion” value.
    6.    Use zero-knowledge/crypto-homomorphism approaches.

Cambridge                        P Y A Ryan                             36
15 November 2005                 Prêt à Voter
• Option 1: allows the adversary to partition the mix
  according the index value, but might be okay where the
  number of voters vastly exceeds the number of ballot
• Option 2: again the re-encryption mix can be partitioned.
  Might be a reasonable compromise.
• Options 3 and 4: seems to work nicely but appears to
  necessitate malleable encryption for the terms that move
  through the mix.
• Option 5: works but looses conceptual simplicity (e.g.,
  need to mix by value and by position separately)
• Option 6: promising, but seems to loose the conceptual
  simplicity of the PRC approach, and perhaps the linear
  scaling properties.
Cambridge                 P Y A Ryan                     37
15 November 2005          Prêt à Voter
               El Gamal encryption
• El Gamal encryption:
• let  be a generator of cyclic group Zp*, p a large prime.
  Choose k (2kp-2) and let  = k (mod p).
• p,  and  made public, k kept secret.
• (Randomised encryption) of m in {0, …, p-1}:
                    (x, x.m) =: (y1, y2)
• Re-encryption:
                        (x+y, x+y.m)
• Note: same as directly encrypting m with randomisation
• Decryption:
                         m = y2 /y1k

Cambridge                  P Y A Ryan                      38
15 November 2005           Prêt à Voter
               Re-encryption mixes
• Work in a similar way to decryption mixes described
• Each mix teller takes in a batch of receipts encrypted
  with El-Gamal. For each it performs a re-encryption,
  choosing a different re-randomisation for each.
• It posts the resulting re-encrypted, shuffled ballots to the
  next column of the WBB.
• Mixes are followed by a (threshold) decryption stage.
• Afterwards, PRC can be performed in a similar way to
  that described earlier.
• Chaum-Pederson style ZK proofs of shuffles also seem
  possible with ElGamal “onions”.
Cambridge                  P Y A Ryan                       39
15 November 2005           Prêt à Voter
                      Option 3
• For simplicity we will assume just random cyclic shifts of
  the candidate list.
• Let s be the candidate list offset. Encrypt -s in the El
  Gamal pair to form the onion.
                     (x, x. -s) =: (y1, y2)
• A receipt pair can be transformed to:
                 (r, x, x. -s)  (x, x. r-s)
• This can be put through a conventional re-encryption mix
  and the final decryption yields the vote value directly.
• Need slight elaboration for full permutations.
• Note: for STV, ranked etc, we can mix the ballot cells

Cambridge                 P Y A Ryan                      40
15 November 2005          Prêt à Voter
•    Is the malleability of the onion terms
•    Malleability of terms flowing through the mix
     seems not to be a problem from the accuracy
     point of view.
•    From a secrecy point of view, it seems that it
     should be possible to perform a reduction style
     proof to the DH problem.
•    Still need to ensure that ballot receipts are non-
     malleable. Digital signatures appear to achieve

Cambridge                P Y A Ryan                  41
15 November 2005         Prêt à Voter
       Prêt à Voter Vulnerabilities
• Chain voting.
• Authority knowledge of ballot form
• Enforcing the destruction of LH strips.
• Separation of teller modes.

Cambridge           P Y A Ryan              42
15 November 2005    Prêt à Voter
                   Chain Voting
•    Effective against many conventional voting
    1. Coercer smuggles a blank ballot form out of the
       polling station and
    2. Marks it with their preferred candidate.
    3. They intercept a voter entering the polling station,
       hand them the marked up form and tell them that if
       they emerge from the station with a fresh, unmarked
       form they will be rewarded.
    4. Return to step 2.

Cambridge                 P Y A Ryan                     43
15 November 2005          Prêt à Voter
• In a system like the UK system in which voters are given
  a ballot form when they register and are them observed
  to cast the form in the ballot box, this can be quite
  effective: if the voter emerges with a fresh, blank form it
  is a strong indication that they cast the coercer’s marked
• For a conventional system, a possible counter-measure
  is to use a system along the lines of the French system:
  Ballot forms are not controlled, only their casting.
    – Ballot forms are freely available at the polling station.
    – Choice made in a booth by inserting ballot of choice in an
    – Voters register when they cast their vote, in an envelope.

Cambridge                      P Y A Ryan                          44
15 November 2005               Prêt à Voter
   Chain voting and Prêt à Voter
• Particularly virulent with WBB systems. Above counter-measure
• Note:
    – Voters don’t need sight of the onion value in order to make their
    – casting an encrypted ballot can be in the presence of a voting official.
• Hence, possible countermeasures:
    – Conceal the onion under a scratch strip.
    – Official checks scratch strip is intact at time of casting.
    – Also need to check that form used to cast corresponds to the forms
      given to the voter when they register.
    – Handling ballot forms in sealed envelopes also helps.
    – Cryptographic analogues, e.g., crypto commitments to onion values.
    – On demand printing of ballot forms-but harder to audit.

Cambridge                          P Y A Ryan                                    45
15 November 2005                   Prêt à Voter
    Distributed creation of ballots
• In Prêt à Voter Classic, the entities that create and handle the ballot
  forms must be trusted to keep onion/candidate lists secret.
• Countermeasures:
    – Create pairs on “entangled” onions (same seed). Conceal one under a
      scratch card (or cryptographically) and perform a pre-mix on the pairs.
    – Have the tellers translate the exposed onions into candidate lists.
    – Random audit the resulting forms.
    – Cast encrypted receipts in presence of an official and reveal the onion
      value at this point.
• Further possibilities:
    – “Mirror”, robust pre-mix on entangled onions (run Plaintext Equivalence
      Tests (PET) the entangled onion pairs and PRC the mix)
    – Just in time candidate lists.
    – Just in time onions.
    – Multiple entangled onions (independently reveal candidate lists for n-1)
• Plenty of possibilities, some adaptable to remote contexts.

Cambridge                         P Y A Ryan                                46
15 November 2005                  Prêt à Voter
                   Entangled onions
                 ((x, x. s), (y,  y. s))
•   Where  := k
•   These pairs are put through a set of re-
    encryption anonymising mixes:
               ((x, x. s), , (y,  y. s))
•   Tellers can then decrypt the first onion to give
    the candidate permutation
                      (, (y,  y. s))
•   At the time of casting a layer of encryption can
    be stripped off the onion to give:
                      (, (y, y. s))
Cambridge                P Y A Ryan                    47
15 November 2005         Prêt à Voter
           Destruction of LH strips
• For coercion resistance it is essential that voters not be
  able to exit the polling station with the LH strip.
• Countermeasures:
    – Procedural: officials oversee destruction of LH strips.
    – Mechanical: device that automatically strips off the LH strip and
      discards it.
    – Decoy strips: plentiful supply of alternative LH strips provided in
      the booth.
    – Scratch strips: onion under the strip (in 2D bar code?) candidate
      list overprinted: revealing the onion destroys the list.
    – Disc ballots!? Ballot “forms” take the form of a pair of discs
      sealed together. After selection they are separated. Axial
      symmetry ensures that the original configuration is lost.
    – Quantum!? Ballot “forms” using entangled q-bits. Measurement
      to reveal candidate lists collapses the wave functions.

Cambridge                       P Y A Ryan                             48
15 November 2005                Prêt à Voter
       Confusion of tellers modes
• Essential that any onion can be processed at
  most once.
    – Allow on-demand teller mode only during the pre-
      election phase. Ensure that all audited ballot as
    – Procedural/Mechanical: any processed form is
      invalidated to prevent reuse.
    – Cryptographic, e.g., authentication codes that are
      destroyed when the onion is used.
    – Just in time candidate lists: revealed only at the time
      that the voter makes their selection.
Cambridge                   P Y A Ryan                      49
15 November 2005            Prêt à Voter
               Remote Prêt à Voter
• Naïve step: casting vote by just submitting an
  onion and index value.
• More sophisticated, coercion resistant version (à
  la Clarkson, Myers): supply voters with a token,
  onion and encrypted candidate list.
• Tokens constructed like onions but with “valid”
  flag at the centre.
• Coerced voter can corrupt their token. Invalidity
  only revealed after the anonymising mixes.
• Designated verifier proofs to convince voters of
  the validity of their token.

Cambridge             P Y A Ryan                 50
15 November 2005      Prêt à Voter
  Chaum’s “Bingo Dauber” scheme
• Presented at FEE 2005.
• Uses pen and paper and Prêt à Voter’s
  randomised candidate list (actually two per form,
  cf symmetrised proto-Prêt à Voter, WITS 2005 ).
• Used two layers rather than strips and “bingo
  dauber” to mark both sheets simultaneously
  through holes in upper layer.
• Retains voter cut and choose element.

Cambridge             P Y A Ryan                 51
15 November 2005      Prêt à Voter
                   Future work
• On the current model:
    – Determine exact requirements.
    – Formal analysis and proofs.
    – Construct threat and trust models.
    – Investigate error handling and recovery strategies.
    – Develop a full, socio-technical systems analysis.
    – Develop prototypes and run trials, e.g., e-voting
    – Investigate public understanding and trust.

Cambridge                  P Y A Ryan                       52
15 November 2005           Prêt à Voter
                   Future work
• Beyond the current scheme:
    – Alternative sources of seed entropy: Voters, optical
      fibres in the paper,…?
    – Protocols for distributed and on-demand generation
      and checking of ballot forms, e.g., authenticated
      onion establishment.
    – (Threshold) schemes to thwart collusion attacks on
      checking modes.
    – Alternative robust mixes, e.g., ZK shuffle proofs.
    – Adaptation to coercion resistant remote voting (e.g.,
      Cornell work).

Cambridge                  P Y A Ryan                         53
15 November 2005           Prêt à Voter
• With thanks to:
    –   David Chaum
    –   Michael Clarkson
    –   James Heather
    –   Michael Jackson
    –   Thea Peacock
    –   Brian Randell
    –   Ron Rivest
    –   Steve Schneider
    –   Jeroen van der Graf
    –   and many others….
Cambridge                     P Y A Ryan     54
15 November 2005              Prêt à Voter
•   David Chaum, Secret-Ballot receipts: True Voter-Verifiable Elections, IEEE Security and Privacy
    Journal, 2(1): 38-47, Jan/Feb 2004.
•   J W Bryans & P Y A Ryan “A Dependability Analysis of the Chaum Voting Scheme”, Newcastle
    Tech Report CS-TR-809, 2003.
•   J W Bryans & P Y A Ryan, “Security and Trust in a Voter-verifiable Election Scheme”, FAST 2003.
•   P Y A Ryan & J W Bryans “A Simplified Version of the Chaum Voting Scheme”, Newcastle TR
•   P Y A Ryan, Towards a Dependability Case for the Chaum Voting Scheme, DIMACS June 2004.
•   P Y A Ryan, “E-voting”, presentation to the Caltech/MIT workshop on voting technology, MIT
    Boston 1-2 October 2004.
•   P Y A Ryan, “A Variant of the Chaum Voter-verifiable Election scheme”, WITS, 10-11 January
    2005 Long Beach Ca.
•   D Chaum, P Y A Ryan, S A Schneider, “A Practical, Voter-Verifiable Election Scheme”, Newcastle
    TR 880 December 2004, Proceedings ESORICS 2005, LNCS 3679.
•   B Randell, P Y A Ryan, “Trust and Voting Technology”, NCL CS Tech Report 911, June 2005, to
    appear IEEE Security and Privacy Magazine.
•   P Y A Ryan, T Peacock, “Prêt à Voter, A Systems Perspective”, NCL CS Tech Report 929,
    September 2005, submitted to IEEE Security and Privacy Symposium 2006.
•   Frontiers of Electronic Elections, FEE 2005,
•   Clarkson and Myers, “Coercion-resistant Remote Voting using Decryption Mixes”, at FEE 2005.

Cambridge                                  P Y A Ryan                                          55
15 November 2005                           Prêt à Voter