[Moderator's note: I'm not sure I agree with Mr. Gerck's conclusion, given that I don't think the proof is incorrect, but... --Perry]
> Forwarded below is an email from Dr. Rebecca Mercuri whose > PhD dissertation contained a proof that an electronic voting > system can be either secure (tamper proof) or anonymous > (as in secret ballot), but NOT BOTH, "The requirement for > ballot privacy creates an unresolvable conflict with the > use of audit trails in providing security assurance". The conclusion is incorrect. There is actually more than one way to provide for ballot privacy and use effective audit trails in electronic voting systems. One way is to have a (sufficiently redundant) witness system that records what the voter sees and approves as the ballot is cast by the voter, without recording who the voter is. The witness system can include independent witnesses controlled by every party or observer of the election. The vote tally result can be verified with a confidence level as close to 100% as desired by tallying a percentage of those witness records. The theoretical basis for such a system is Shannon's 10th theorem. For a presentation, see http://www.vote.caltech.edu/wote01/pdfs/gerck-witness.pdf Another way is to provide each voter with a double-blind digital certificate that includes a nonce, and using homomorphic enccryption for further protecting the voting pattern from disclosing the voter's indentity (the Mafia attack) . The nonce allows for an effective audit trail per voter without disclosing the voter's identity. See http://www.vote.caltech.edu/wote01/pdfs/gerck.pdf Cheers, Ed Gerck --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]