Secure Remote Voting Using Paper Ballots

Secure Remote V oting Using P ap er Ballots Luk asz Nitsc hke Adam Mic kiewicz Univ ersity , P ozna ´ n, P oland Abstract. In ternet v oting will probably b e one of the most significant ac hievemen ts of the future information so ciety . It will ha ve an enormous impact on the election pro cess making it fast, reliable and inexp ensiv e. Nonetheless, so far remote voting is considered to b e v ery difficult, as one has to take into accoun t susceptibility of the voter’s PC to v arious cyb er-attac ks. As a result, most the researc h effort is put into dev el- oping proto cols and mac hines for poll-site electronic voting. Although these solutions yield promising results, they cannot b e directly adopted to In ternet voting b ecause of secure platform problem. How ev er, the cryptographic comp onents they utilize may b e very useful. This paper presen ts a scheme based on combination of mixnets and homomorphic encryption b orro wed from robust p oll-site voting, along with tec hniques recommended for remote v oting – co de sheets and test ballots. The pro- to col tries to minimize the trust put in voter’s PC by making the voter resp onsible for man ual encryption of his vote. T o ac hieve this, the voter obtains a pap er ballot that allo ws him to scramble the v ote b y performing simple op erations (lo okup in a table). Creation of pap er ballots, as w ell as decryption of votes, is performed b y a group of coop erating trusted serv ers. As a result, the sc heme is characterized by strong asymmetry – all computations are carried out on the server side. In consequence it do es not require an y additional hardware on the vot er’s side, and offers distributed trust, receipt-freeness and verifiabilit y . 1 In tro duction If w e tak e a critical look on the traditional voting metho ds that we hav e b een using for y ears, we can observe many opp ortunities for fraud along with the inabilit y of the citizens to verify the election results. This giv es a strong motiv a- tion for computer scientists to design electronic mechanisms that could realize v oting, and that w ould not only disable c heating and allo w chec king, but also lo wer the costs and increase a v ailabilit y . Unfortunately , suc h electronic solutions, con trary to traditional voting, ha ve to face an inherent threat that any security hole ma y allo w massive abuse (this is an exemplification of a general phenom- ena w ell describ ed by Schneier [1], and denoted as class br e ak ). More formally electronic voting should meet the following requirements. – Anon ymity , priv acy – voters’ choice should remain their secret. – Receipt-freeness – voter should b e unable to con vince a third part y of the v ote decision and, as a consequence, should b e unable to sell his or her vote. This prop ert y is also ac hieved if the v oter has effective measures of deceiving a p oten tial buyer. – V erifiability – voter should b e able to chec k correctness of ev ery stage of the proto col. He or she should b e emp o wered to verify the tallying pro cess (global v erifiability) and chec k if his or her v ote w as included (individual verifiabil- it y). Usually individual v erifiability requires a lookup in a public catalog, whereas, global v erifiabilit y demands p erforming some computations. This implies the fact that an a verage v oter delegates global v erifiabilit y to experts or watc hdog organizations. Three approaches to the problem of electronic voting hav e b een prop osed so far [2] [3]. – Pol l-site voting also denoted as DRE (Direct Recording b y Electronics) – sp ecial voting mac hines with dedicated soft w are are installed in voting b ooths at p olling stations. V oters can cast votes by interacting with such a mac hine, and in some cases he or she can receive a receipt for verification. The terminal and the environmen t can b e controlled. Moreov er, some steps of the proto col ma y by performed by an election official, for instance the v oter can b e p ersonally authorized. – Kiosk voting – voting takes place through publicly av ailable terminals (e.g. sophisticated A TMs or dedicated state-owned machines). In this scenario only the terminal can b e controlled. – V oting via Internet p erformed by a clien t-server application, run by voter’s PC/mobile phone/PDA/smart card, and on the server side, by trusted au- thorit y or authorities. Neither the terminal not the environmen t can b e con- trolled. Pol l-site voting. Recently , the effort of researc hers is mostly put into developing proto cols and mac hines for p oll-site v oting. Among the listed approaches, this is the least demanding from the security p erspective, as we can assume control of the voter, and on the environmen t (the officials are presen t at the poll-site). Sev eral w ell designed solutions ha ve b een proposed so far, including: [4] [5] [6] [7]. The machines used at p olling stations produce encrypted ballots. The verification of the encryption pro cess takes place through prin ting t wo ballots and letting the voter choose which to chec k. The chosen ballot is compromised by providing (usually prin ting) additional data whic h allows v erification. The pro cess requires a computer program and equipmen t (e.g. scanner). In practice, the verification is mean t to b e carried out b y watc hdog organizations that collect the ballots at p olling stations or somewhere else. As a consequence, the remaining ballot is b eliev ed to be properly constructed and is used to cast a vote. The ballot without additional data cannot serv e as an evidence for vote selling purp oses (receipt- freeness). Encrypted votes are published and pro cessed by election authorities to obtain the final result. Ev ery v oter can chec k if his or her encrypted vote participated. Correctness of the pro cessing can b e universally v erified. In teractive testing of mac hine encryption plus verification of the pro cessing giv e strong assurance that cheating is imp ossible. Although v erifiability and receipt-freeness w ere successfully adopted to p oll-site voting, they cannot b e easily applied to In ternet v oting b y employing the same techniques (interactiv e testing). This is the consequence of the following observ ations. – W e cannot replace dedicated machines with v oters’ personal computers. This is caused by the fact that a PC is not tamp er-proof, and may leak secret infor- mation to the voter, enabling vote selling. F or instance, interactiv e chec king of ballots relies on the assumption that the v oter do es not learn v erification data for the prop er ballot. – It is difficult and exp ensive to reduce the size of v oting mac hines used in p oll-site v oting to make them p ortable (in tegrated printer and other imple- men tation asp ects). – V erification of ballots requires either a trusted testing device or a third part y organization. R emote voting. The remote v oting approach is the most conv enien t and cost- effectiv e. It also reflects the needs of the mo dern so ciety . Nonetheless, it is con- siderably more c hallenging, as w e ha ve to tak e into account v arious cyber-attacks (p ossibly launched from a hostile coun try), and less con trol of the v oter [8] [3]. V ulnerabilities of voter’s PC ma y op en the do or to man y serious abuses, e.g. automated vote selling or malicious changing of v otes. Several countermeasures ha ve b een prop osed to minimize the trust put in voter PC. Apart from the ex- p ensiv e ones (trusted hardware) and the idealistic ones (clean op erating system) co de sheets, and test ballots seem to be promising [3]. Co de sheets imp ose a complete asymmetry in the computational sense – no computations are done on the v oter’s side. This is ac hieved by providing voters with ballots that contain unique codes represen ting candidates (different set of co des for eac h ballot). Eac h candidate co de has a verification co de assigned to it. The PC is used to pass the en tered co de on to the election authority , whic h returns the relev an t verifica- tion co de. The resp onse is display ed by the PC, integrit y of remotely cast vote. Honest election authorit y may preven t cyb er-attac ks, but a dishonest one can try to influence elections results or breac h v oter’s priv acy . An exemplification of code sheets scheme is SureV ote system [9]. T est ballots is an approach that suggests introducing sp ecial ballots in the voting stage. The ballots should b e unrecognizable for the tallying authorities, so that they are unable to predict for whic h ballots they will hav e to reveal pro cessing after publication of the result. In addition to the SureV ote system, there are attempts to solve the untrusted platform problem b y utilizing trusted hardware ([10]), but these solutions hav e to face a serious threat of malicious pro ducers and kleptography [11]. 2 Sk etc h of the new proto col 2.1 Design goals Design of the presented proto col was motiv ated b y four main aims. – Pro viding v erification and receipt-freeness at the same time. – Easy and inexp ensiv e integration with traditional elections. It means that no additional hardware on the client side is required and that remote voters ma y be recognized b efore traditional elections start to prev ent double v oting. – Reduction of trust put in voter’s PC and softw are it runs, by assuring that v oter’s computer is unable to record and c hange c hoices made b y its user (neither randomly nor inten tionally). – Distribution of trust put in authorities. The main idea of the proto col is that the v oter encrypts his vote manually b y p erforming simple op erations on his pap er ballot. This assumption creates a need for a scrambling metho d that is feasible to p erform on a piece of paper. P ermutations, or cyclic rotations in particular, lend themselv es naturally to this goal. Operations p erformed by the voter can b e inv erted b y a group of co op- erating servers that p erform distributed computations. This is how the trust is distributed, and con trary to co de sheets, the pro cess of decrypting votes can b e publicly controlled. This mo del also includes distributed creation of paper bal- lots. The ballot can be in teractively tested using similar tec hniques as in p oll-site mac hines. 2.2 Actors Apart from the voters, the proto col emplo ys the following trusted authorities. – E C 1 ( Ele ction Committe e 1 ) - pro vides an on-line voting service, whose users are authorized using kno wn protection mec hanisms. Comm unication with E C 1 can b e established through an authenticated (in b oth directions), priv ate c hannel. – E C 2 ( Ele ction Committe e 2 ) - prints paper ballots used to encrypt user c hoice. – A 1 , A 3 , ..., A λ – authorities that participate in the pro cess of creating pap er ballots, and in the pro cess of decrypting votes, they assure also distribution of trust and audit. – B B – bulletin b oard, provides an authen ticated public c hannel – allows to publish and then access signed messages. 2.3 The proto col from the voter’s p ersp ectiv e 1. (R e gistr ation) Registration pro cedure should b e similar to applying for an electronic bank account. A citizen fills in an application form and submits it p ersonally to the lo cal administration office where he is personally authorized (based on his signature and ID card). After a reasonable p eriod of time the voter is able to receive his elections kit from E C 1 . The kit contains creden tials which enable remote authentication of the user. The metho ds used here may b e similar to the ones used in e-banking, e.g. PIN, passw ord, one-time passwords, token. A tok en integrated with electronic ID card or signatures-enabled ID is considered to b e an optimal solution. 2. (Obtaining of p ap er b al lot) A few months b efore elections a citizen, who is willing to cast his vote via In ternet is obliged to visit the local administration office in order to obtain a pap er ballot, and to b e p ersonally authorized. It is assumed that the voter has already gained access to the election service (see: registration). The v oter c ho oses tw o ballots, then decides which one should b e verified. The selected ballot is reco ded by an election official, and can b e verified b y the voter or by a civic committee. The other ballot is separated from the part con taining v alidation data, and serves as prop er means of casting a vote. The v alidation data is destro yed in the presence of the voter. 3. (Manual encryption) Every ballot has a simple op eration assigned to it. The transformation is represented b y a table so that it is easy for the v oter to enco de his or her candidate num b er v by the v alue v + sh mo d c . The v oter marks the candidate’s n umber and reads the underlying encryption of the v ote. 4. (V ote submission) The v oter log into the voting system, enters id and the encrypted vote. 5. (Public ation of encrypte d votes) E C 1 publishes voters’ names along with encrypted votes on the B B . 6. (V erific ation) V oter chec ks if his v ote reached bulletin b oard in an unc hanged form. 7. (V ote r esults public ation) The v otes are decrypted by trusted authorities A 1 , A 3 , . . . , A λ and published. 3 Building blo cks Most of the building blo c ks w e employ are based on the ElGamal public k ey cryptosystem. Let p b e a large prime, g a generator in Z p and x a random elemen t of Z p . W e define: ElGamal priv ate-public key pair as ( x ; p, g , y (= g x mo d p )), ElGamal encryption function e y ( m ) = ( my k , g k ) and decryption func- tion d x ( a, b ) = a/b x Owner A of asymm etric keys ( x ; p, g , y ) can pro ve non- in teractively that a given cip ertext ( a, b ) is an encryptption of message m using a zero-knolege pro of of equalit y of discete logs ( log b ( a/m ) = l og g ( y )) [12]. W e will denote the pro of as niz k ( m, ( a, b )). 3.1 Mix Net works One of the most imp ortant branches in researc h of electronic v oting are proto cols based on mix net w orks. Mix net w ork protocols allow to shuffle a list of encrypted messages in a distributed wa y by λ trusted parties (mix servers). Each party A i sequen tially permutes and transforms elements on the list. The resulting list is passed on to the next mix serv er via an authen ticated public channel ( B B ). T ransformations carried out by a single server obfuscate relations b et ween input and output elements. Therefore, it is hard to determine the secret p erm utation of a single sev er, and in consequence the global p ermutation of the whole mixnet. W e need tw o functions to p erform distributed shuffling: – o ( m ) – creates an initial encrypted form (called onion) of m that passes through the mix servers – t k ( c ) – transforms cipher text c into c 0 so that: c 0 encrypts the same mes- sage as c , and it is difficult to prov e this fact without the knowledge of the randomizing v alue k . There are different types of mixnets, dep ending on the transformation func- tion. W e will emplo y partially decrypting mixnets . This type of mixnet is c har- acterized by the fact that eac h serv er partially decrypts elements on its input list and the last server yields messages. Such a mixnet based on ElGamal can b e build by defining the o and t functions as follows [13]: o k ( m ) = e y 1 y 2 ...y λ ( m ), t k (( a, b )) = ( a ( y i +1 y i +2 ...y λ ) k /b x i , b · g k ). Where ( x i , y i ) are A i asymmetric k eys. Randomized Partial Checking A mix netw ork proto col can b e employ ed as a comp onent of electronic v oting if it can b e guaran teed that none of the list elemen ts was replaced or maliciously altered. This prop ert y called r obustness is pro vided by additional chec king. Randomized Partial Chec king is a fairly simple and effectiv e verifying technique which was introduced in [14]. The mix servers are obliged to reveal a random half of their input-output relations, with the assurance that no path of length greater than 2 can b e uncov ered. T o achiev e this property the serv ers are paired, and forced to unco ver complementary halv es of their transformations. In more detail, RPC consists of the follo wing steps: 1. (Befor e shuffling) The mix servers publish commitmen ts to their p erm uta- tions ( pcommit ( π ) = ( commit ( π (1)) , ..., commit ( π ( n )))). 2. (After shuffling) The servers establish a fairly chosen v alue r = r 1 ⊕ r 2 ⊕ ... ⊕ r λ – each server contributes its r i using commitments, so that no part y is able to determine r . Then a v alue q = hash ( r , content ( B B )) is computed, and q i = hash ( q , i ) are deriv ed. V alues q i determine transitions to b e revealed in pair i . T o prov e v alidity of a selected transition of j -th input server A i publishes a v alue v alidator ( i, j ) that may consist of decommit ( Π i ( j )) , k ij , where k ij is the randomization v alue used in the j -th transformation. 3.2 Homomorphic Encryption and Re-encryption The ElGamal scheme has the prop ert y that having tw o encrypted messages, one can calculate the ciphertext of m ultiplication of the t wo messages. This can b e ac hieved b y simply m ultiplying the t wo ciphertexts. This property is kno wn as ( · , · )-homomorphism. F or the sak e of this pap er ( · , +)-homomorphism is more useful. How ev er, this requires a small mo dification of the original ElGamal. – he y ( m 1 ) = ( h m 1 · y k 1 , g k 1 ), he ( m 2 ) = ( h m 2 · y k 2 , g k 2 ) – he y ( m 1 ) · he y ( m 2 ) = ( h m 1 · y k 1 · h m 2 · y k 2 , g k 1 · g k 2 ) = ( h m 1 + m 2 · y k , g k ) = he y ( m 1 + m 2 ) h m is obtained from he y ( m ) by p erforming regular ElGamal decryption, then m is found through exhaustive searc h or lo okup in a precomputed table. Note, that if we take p such that a large prime q | p − 1 and a small r | p − 1 then assuming that or d ( g ) = q and or d ( h ) = r we can p erform encrypted additions in Z r . 3.3 Computing Mixnet If w e com bine mixnets with the idea of homomorphic encryption we obtain a proto col for distributed computation that has the prop ert y that it obfuscates the relations b et ween input and output v alues. Computations p erformed by such a net work can b e used to anonymously in vert the adding op eration (cyclic rotation) p erformed by the voter. W e now obtain tw o new o ( · ), t ( · ) functions: – ho k ( m ) = he y 1 y 2 ...y λ ( m ), – ht k,l (( a, b )) = ( a · h l · ( y i +1 y i +2 ...y λ ) k /b x i , b · g k ), l is a v alue added in a given transformation. 4 The Proto col 4.1 Setup Notation: n – n umber of paper ballots, c – num ber of candidates; p – secure, public prime, suc h that a large prime q | p − 1 and c | p − 1, g , h – generators in Z p of order q , c resp ectively; ( x i ; p, g , y i ) – A i asymmetric keys; ( x E C 2 ; p, g , y E C 2 ) – E C 2 asymmetric key . Before elections start the following steps need to b e fulfilled. 1. E C 1 c ho oses a p ermutation π 0 : Z n → Z n , and publishes the commitment. E C 1 − → B B : pcommit ( π 0 ) 2. Eac h A i : (a) c ho oses a p erm utation π i : Z n → Z n , and a v ector of small integers ( l ij < c ): l i = ( l i, 1 , l i, 1 , ..., l i,n ); (b) publishes the commitment to its p erm utation and to the v alues l ij A i − → B B : pcommit ( π i ) , commit ( l i ) . 4.2 Actions of the protocol Cr e ation of b al lots. Creation of pap er ballots in volv es sending n pairs of partially decrypting onions through the mixnet. The first onion in a pair carries an iden- tifier of the input p osition, while the second one uses homomorphic encryption to accumulate the sum sh that forms the cyclic rotation prin ted on the pap er ballot. c 0 ,j = e y 1 y 2 ...y λ y E C 2 ( π 0 ( j )) , hc 0 ,j = (1 , 1) , j = 1 , .., n E C 1 − → B B : ( c 0 ,j ) , ( hc 0 ,j ) The pairs of onions are then b eing pro cessed b y the authorities A i ( c i,j = t k i,j ,l i,j ( hc i − 1 ,j ), hc i,j = ht k i,j ,l i,j ( hc i − 1 ,j )), i = 1 , 2 , ..., λ − 1 and passed on to the next authority through the bulletin board. Note that the resulting iden- tifiers and v alues sh remain secret to the public audience, as they are encrypted with E C 2 public key . Distribution and che cking of b al lots. Each voter V personally obtains tw o pap er ballots. He or she c ho oses one for v erification and learns its v alidation v alues. The ballot identifier is scanned by an election official and marked as inv alid by E C 2 on the B B . The v alues it con tains can be v erified: ˆ id , ˆ sh , ˆ c λ,k , ˆ hc λ,k (relev an t output onions), niz k ( ˆ id, ˆ c λ,k ) , niz k ( h ˆ v , ˆ hc λ,k ) (proofs). The other ballot pro vides the voter with id, sh , which are used for voting. Casting votes. Each voter V encrypts his v ote v obtaining ev = v + sh mo d c . Encrypted v ote is sent along with id to E C 1 through an authen ticated channel. V auth − → E C 1 : id, ev The election authority publishes p osition on the input list p = π − 1 0 ( id ), voter’s iden tifier, his encrypted v ote, the onion hc 0 0 ,p = ho k 0 0 ,j ( ev ), and k 0 0 ,j as pro of of the correctness of the onion. E C 1 − → B B : p, V , ev , hc 0 0 ,p , k 0 0 ,j R e c overing and c ounting votes. The encrypted votes that ha ve b een a v ailable on the bulletin b oard enter the same mixnet, that uses the same l ij v alues, but instead of adding they are now subtracted by A i ( hc 0 π i ( j ) = ht k 0 i,j , − l i,j ( hc 0 i − 1 ,j )). The votes are made av ailable on the B B . The onions that reach p ositions on the output list marked as inv alid are traced back. 4.3 Mix-and-compute v erification F or verification of the tw o stage pro cess of creating ballots and recov ering v otes w e need also a tw o stage v alidation technique. Splitting RPC directly in to t wo phases – rev ealing 1 / 4 of transitions twice – do es not w ork. This is be cause b efore the second stage of testing a malicious mix server w ould b e able to pinp oin t transitions that cannot b e tested according to the rule that in a pair of servers no path of length t wo can b e unco vered. Therefore, w e prop ose a differen t t wo stage version of RPC, in which the servers are group ed in 4-tuples consisting of t wo pairs. 1. (After cr e ation of b al lots) 1 / 4 of transitions of eac h server is rev ealed pre- serving paths in uncov ered pairs. 2. (After r e c overy of votes) Within e ac h 4-tuple one pair is selected to reveal remaining the 1 / 4 of mappings in the RPC fashion. The serv ers in the other pair reveal transformations indep enden tly . No w the probability that replacemen t of n onions will remain unnoticed is (1 / 6) n . The transitions selected to be verified are determined in a wa y similar to reg- ular RPC. How ev er, the v alidating v alues also include elements of sums – l ij . T ransitions chosen to b e revealed are uncov ered in b oth stages. 5 F urther Enhancements and Remarks R e c eipt-fr e eness and verifiability. Pro viding verifiabilit y and receipt-freeness (in- abilit y to sell votes) is the biggest challenge in design of voting proto cols. In our proto col the v oter is giv en t wo paper ballots. He or she c ho oses one of them to rev eal its v alidation v alues. The ballot is marked as compromised and can b e verified by a w atchdog organization. As a result the v oter b eliev es that the other ballot, whose v alidation v alues were destroy ed, is also v alid. But he or she is unable to prov e it to anybo dy else (who was not present during interactiv e testing), and sell the vote. Since the process of ballot creation and recov ery of v otes is controlled, the voter is assured that his vote w as prop erly counted. T est b al lots and inter active testing. The basic proto col presen ted ab o ve sho ws v erification of mixing op erations. Nonetheless, there are tw o steps of the proto- col that deserv e extraordinary suspiciousness – printing of ballots, and putting encrypted votes on the input list b efore decryption. Printing is v erified b e inter- activ e testing – choosing one ballot out of t wo for thorough in vestigation. The output p osition (from the ballot creating mixing) is then marked as compro- mised. An in teresting idea is to utilize the compromised ballots as test ballots. They migh t be introduced in to the mixnet b y v erification organizations or v oters themselv es to strengthen verification of the decryption pro cess (and the input list). The decrypted v otes that hit compromised p ositions can b e traced back, and voters who decided to chec k could verify their test ballot. In this sense test ballots are a real trust increasing factor. Co de she ets. The scheme would certainly b enefit form an immediate assurance that votes cast b y the v oters reached the authorit y unchanged. T o achiev e this goal w e can emplo y v erification co des inserted in the iden tifier onion b y E C 1 during creation of ballots. Natural candidates for the co des are truncated digital signatures of E C 1 . Col luding authorities. The presen ted proto col assumes that the authorities E C 1 and E C 2 are in a conflict of interest – for instance they are con trolled by the ruling and opp osition party . Otherwise, they would b e able to violate users priv acy and try to introduce fake v otes. This is caused by the fact that one authorit y ( E C 1 ) controls the input to the computing mixnet while the other part y ( E C 2 ) controls the output. K-out-of-L voting. In the basic setting the prop osed sc heme offers 1-out-of-L v oting, which means that w e can choose only one candidate. How ever, w e can easily extend it by adding multiple cyclic rotations to K-out-of-L or K-out-of-L- ordered voting. This requires increased num b er of homomorphic onions pro cessed b y the authorities. 6 Conclusions So far, no viable solution to the problem of remote electronic v oting has b een prop osed. The computational model presen ted in this pap er is a step to wards o vercoming vulnerabilities of operating systems, personal computers and the In ternet. The solution also offers receipt-freeness, and full verification of every step. Crucial parts of t he v erification can be carried out b y an a verage voter while the more complicated procedures may b e delegated to exp erts or indep enden t organizations. W e also show ed that autonomously computing mix servers ma y b e a useful comp onent of cryptographic proto cols. References 1. Sc hneier, B.: Bey ond fear: Thinking sensibly ab out securit y in an uncertain world. Cop ernicus Books (2003) 2. F orce, C.I.V.T.: A rep ort on the feasibility of internet voting (2000) 3. Oppliger, R.: Ho w to address the secure platform problem for remote in ternet v oting. In: Pro ceedings 5th Conf. on Security in Information Systems (SIS 2002). (2002) 153–173 4. Chaum, D.: Secret-ballot: T rue voter verifiable elections. IEEE Security and Priv acy (January-F ebruary) (2004) 38–47 5. Neff, A.: A verifiable secret shuffle and its application to e-voting. In Samarati, P ., ed.: ACM CCS ’01, ACM Press (2001) 116–125 6. Adida, B., Rivest, R.: Scratc h and v ote: Self-con tained pap er-based cryptographic v oting. In Dingledine, R., Y u, T., eds.: A CM W orkshop on Priv acy in the Electronic So ciet y , ACM (October 2006) 7. Ry an, P .Y.A., Schneider, S.A.: Pret a voter with re-encryption mixes. T echnical Rep ort 956, Newcastle Univ ersity , School of Computing Science (Apr 2006) 8. Rubin, A.: Security considerations for remote in ternet v oting o ver the internet (2001) 9. SureV ote: E-v oting system - ov erview (2001) 10. Lee, B., Kim, K.: Receipt-free electronic v oting sc heme with a tamper-resistant randomizer. In: ICISC. (2002) 389–406 11. Y oung, A., Y ung, M.: The dark side of black-box cryptography , or: Should w e trust Capstone? Lecture Notes in Computer Science 1109 (1996) 12. Chaum, D., Pedersen, T.: W allet databases with observers. In: CR YPTO ’92: Pro ceedings of the 12th Annual In ternational Cryptology Conference on Adv ances in Cryptology , London, UK, Springer-V erlag (1993) 89–105 13. Ch. Park, K.I., Kurosaw a, K.: Efficien t anonymous channel and all/nothing elec- tion scheme. In: EUROCR YPT ’93: W orkshop on the theory and application of cryptographic techniques on Adv ances in cryptology , Springer-V erlag (1994) 248– 259 14. M. Jakobsson, M.J., Rivest, R.: Making mix nets robust for electronic voting b y randomized partial chec king. In: USENIX02. (2002)