Having a paper ballot printed by machine (and checked by the votor) before being dropped in a box may permit some additional cross-checks:
* Put serial numbers or something like them, on each ballot, so that missing or added ballots can be detected. * Put check digits on each ballot, so that alterations can be detected. In order to avoid a big key management problem, perhaps each machine could generate its own key-pair, and print the public half on each ballot. Perhaps the check digits could be chained through the whole sequence of ballots so that adversaries have to modify the whole tail sequence to change one. Perhaps at the end of the sequence, the machine could generate a known set of void ballots, making changing the tail after the fact impossible. * Print a receipt for the actual votor that can be used by the votor to check that her vote was actually recorded. Ideally, the receipt should also be able to confirm that the actual intended votes were recorded. It should not be possible to compute the votes from the receipt. It should not be possible for an inquiry about a vote from the receipt holder to tie the identity of the votor to the votes. This last item would help my degree of confidence - I'd like to be able to independently confirm, myself, that my vote was accurately recorded. Naturally, the sequence information must not be traceable to an individual - this is usually the case in manual sign-in systems that match votors to registration books. I would be skeptical about automated sign-in. -Larry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
