An examination of compter based voting

Abstract


This paper will present one possible design for an electronic voting system, extendible to take advantage of the Internet, based on the Australian-rules ballot. The system will be developed in stages from a very simple model and at eachs step the system will be examined to ensure it will afford the same protections as current ballot methods.

Introduction

A key goals of most electronic "/" Internet voting proposals is enabling people to vote from home. The problems presented by the wide variety of home machines is beyond the scope of this paper and will remain speculation until the matter of a voting mechanism is resolved. This paper will discuss one possible system for an all-electronic ballot, and such a system could form the basis of a vote-from-home system.

It is important to note that electronic voting is not a solution to problems of type demonstrated in Florida during the 2000 election. The ability to produce a clear ballot will not magically be granted to all who construct them online. The same layout issues will continue and will actually be compounded because a video monitor is less clear than a printed page at the same size of type. Some of the problems - stray marks, hanging chad, and over voting - will largely be eliminated, but selecting the wrong candidate will still count as vote for that person.

The most widely used form of secret ballot is the Australian ballot and is thus the touchstone for any electronic system. The Australian ballot's underlying assumption is all participants are out to defraud the system; from this, two key operating principals can be derived:

  1. No ballot may be traced back to a specific voter although the path of a ballot from creation to final counting can be recreated. This removes the incentive for any entity to purchase votes because there is no receipt. This also reduces the effectiveness of intimidation, but various totalitarian regimes have demonstrated the weakness of this protection.
  2. All activities, other than the actual marking of a ballot, must be conducted in the public eye or be auditable to an activity that takes place in public view. The public is often reduced to representatives (preferable with a known vested interest in the system), but there must be several representatives. }

Building an electronic Australian ballot presents a number of difficulties, the largest being dependence on the external auditing features, because it is difficult to view electrons as they zip about computer systems. The rest of this paper will be devoted to building electronic voting systems of increasing complexity and scale-ability until we have created a system that could be used for an entire voting district. One problem that any electronic-voting system has is vulnerability to a rogue programmer. The discussion of this problem is left to the end of the paper.

Simplest case

This is a thought experiment based loosely on the Athenian method of voting. Assume a single issue election. As each voter arrives at the polls they are handed a white rock and a black rock, the rocks having been counted before and placed in bags. The voting booth is just 2 jars; one marked vote and the other marked discard. The mouths are a bit larger than a human hand and of depth such that the bottom can not be reached; the jars are out in the open. To cast a ballot the voter walks up to the jars, places a hand in each and deposits the rocks. After the polls are closed the rocks in the vote jar are totaled with white a "yea" and black a "nay". The system is auditable: The total number of white rocks in the vote jar should match the number of black rocks in the discard jar. The total number rocks found in either of the jars should match the number of voters that entered the polls. Discards plus votes plus remaining rocks should equal the number of rocks present when the polls opened. Stuffing the ballot box before the polls open is prevented by up-ending the amphora as the polls are opened. Stuffing the ballot box after the polls close is prevented by sealing the top of the jars. Anonymity is preserved because no one is able to prove how they voted.

Breaking this into modules we have:

The main weakness of this system is the ability of voters to smuggle votes in their sleeves. The sound of a large number of stones would indicate stuffing of the ballot box, the valid votes could not be sorted from the invalid. By changing from stones to pottery balls it is possible to mark each ballot and prevent the voter from seeing this mark. Thus it is impossible to determine how a single voter voted, but still possible to tell valid from invalid votes. This is accomplished by baking a serial number into the center of each ball at the time of manufacture; as the votes are counted, the balls are smashed. Any balls containing a serial number not issued to the polling station are invalid.

Conversion of this into an electronic voting system serves to illustrate some of the problems.

A first pass of the system would be:

When voters enter the booth, they are presented with two buttons: one marked yes and the other no. The voter casts a ballot by selecting one or the other. The ballot box increments its yea or nay counter depending on the button selected.

This simplistic system however, fails to recognize the number of roles the pottery balls play. First, they provide a powerful check on the number of ballots cast. The duplication of this function is accomplished by adding a ballot store to the system. The ballot store is where ballots reside waiting for the voter. Only unused ballots remain in it after the polls are closed.

The system components are now:

The ballot store works in conjunction with the ballot box: When a voter enters the booth, a ballot is withdrawn from the store; when the vote is cast the ballot is deposited in the ballot box. To prevent the ballot box from being stuffed each ballot must have a unique serial number. However, the voter can never be allowed to learn the serial number because then it would be possible prove how a specific voter voted.

The revised process for voting is: A voter enters the booth and activates the front end. The ballot box requests a ballot from the ballot store. Upon receiving the ballot, the box removes the serial number from the ballot. The ballot store removes the serial number from the list of available ballots. The ballot box then passes the anonomyzed ballot to the front end. The voter is now offered the ballot and voting is possible. The voters select the way they wish to cast their ballot and then request that the ballot be deposited. The ballot box stores the ballot for latter counting. It is important to note that there should be no counting of the ballots until after the polls have closed.

The next role that the pottery balls serve is to prevent one person from casting multiple votes. This is accomplished by issuing a limited number of ballots and keeping only the moment of voting private. The voter's hand is hidden from view when the ball is dropped while the rest of the voter is visible. Thus the voters cannot start pulling extra ballots out of their tunics' without a number of people noticing. To provide this protection with an electronic ballot, the poll workers issue the voter a card with a unique number encoded. When the voter enters the voting booth, the card is deposited in a slot that checks for a valid number. If the number is valid the front end is activated and presents the ballot. The card is retained by the voting booth.

The system as it now stands:


With the additional two details of a ballot store and a voter card, we have an electronic system that matches the functionality available with clay balls over 2000 years ago. The two final features of the jars and balls that must be incorporated: random order of ballot withdrawal and random order of storage. If the order is predictable in either case, it is possible to track a ballot back to a particular voter just by keeping track of the order that voters enter the booth.
This is good moment to pause and review the protections by examining possible methods of compromising the system:
  1. Removal of votes that have been cast- The voter does not have access to the innards of the ballot box, much as the depth of the amphora prevents the removal of clay balls.
  2. Depositing extra votes before or after the polls have closed- The number of voter cards collected by the booth would not match the votes cast. Any additional votes would not carry serial numbers drawn from the store and the number of ballots missing from the store, would not match the number of ballots in the ballot box.
  3. Detection of stray votes so that the entire ballot box is not invalidated- To stuff the ballot box the ballot shark would have to predict the serial numbers of the ballots in the ballot store, remove those that are going to deposited falsely, and then put the fraudulent ballots into the ballot box. The paranoia of the Australian ballot combined with physical protection the ballot store, protects against this. When the polls are opened, the poll workers very publicly check the ballot box to ensure that there are no ballots present. Second the serial numbers of the ballots in the ballot store are kept sealed until after the election.

Write-in candidates
Write-in candidates are handled by adding an option on the front end that presents the voter with the opportunity to type in the name of any person they wish. The front end makes no effort to check spelling, guard against common joke names such as Donald Duck, or even single letters. A notation is made on the ballot that the race has a write-in, the name typed is attached to the ballot and the ballot deposited in the ballot box.

When the ballots are counted all write-ins are printed out for hand counting along with the serial number of the ballot. The entire ballot should not be printed but the ballot must be query-able because it may be necessary to check and see if that candidate appears elsewhere in the ballot and has been voted for by the same participant.

Opening and closing a polling station
Before introducing any additional complexity, this is a good point to discuss the opening and closing procedures that must be followed to make the system functional. The opening and closing procedures have two equally vital functions. First, auditing the system to ensure that everything is accounted for and in the correct place, the ballot box is empty, the store has the correct number of ballots, and so on. The second function is the task that kept Dark Age kings, such as Offa of Mercia, continuously on the move. If you have seen the king, you know he exists; if you have seen the empty ballot box as the polls open, you know the box was not stuffed before the vote. However, if the king has not been by in a couple of years does he really exist? If no one ever sees that the ballot box is actual empty at the start of the polls, is it empty? Does the canvass really take place? Are those our votes? This is fodder for theorizing about conspiracy to disenfranchise. Additionally, having the public around to observe the opening of the polls and able to examine any documentation produced as the polls are opened works well in the paranoid, trust-only-yourself that underpins the Australian Ballot.

With the twin goals mentioned above, first let me present an opening and closing procedure for the jars and clay balls. The public is welcome to view these events. The obvious auditing functions are augmented by the official trappings of the proceedings to lend legitimacy, much as a doctor is expected to appear in a white lab coat with a stethoscope draped like a flea collar about their neck.

Opening

  1. 2 clay jars with the tops sealed are withdrawn from the warehouse by at least 2 poll workers.
  2. A number of sealed sacks of clay balls are randomly selected from the warehouse, again by a plethora of poll workers.
  3. At the polling station, the sacks of balls and the jars are placed in full public view until the official opening time. Again, at least 2 people stay with the gear at all times.
  4. When opening time arrives, the jars are unsealed, up-ended, and lights are shone into the jars. All in an effort to prove that they are empty, this should be done with great attention to procedure, with multiple people, all double checking the work to enhance the legitimacy as discussed above.
  5. The sacks are given the same sort of treatment when they are opened.
While it is possible to do the job with fewer people and less pomp and circumstance, that is not the point. The key is demonstrate to the public that nobody has anything up their sleeve.

The same goals are displayed in the closing of the polls; where again multible officials should be involved at each step.

Closing and counting

  1. The clay jars are publicly sealed.
  2. The votes remaining in each bag are noted.
  3. The bags of remaining balls are resealed in public.
  4. The jars and bags are taken to be counted accompanied by a number of officials and observers.
  5. The counting takes place in public.
  6. The number of votes cast versus remaining ballots are checked.
  7. The ballots are all smashed to recover the serial numbers and these are checked for duplicates and ones that were not issued.
  8. The ballots and the jars are put back under lock and seal until the time limit for challenging the vote has expired.
  9. The results are reported.

In the case of our electronic system, after the equipment has been delivered to the polling station and just before the station opens, and in full public view, the ballot count procedure is run: Each ballot box is asked to report the vote count it holds; these should be empty. Each ballot store is asked to report the number of ballots it holds; this should match the number expected. Each front end is asked to report the number of voters that have used the machine, and this should be zero. Copies of these results are posted in the polling station for all to see and the original returned with the equipment for counting, then stored until the end of the challenge period.

When the polls close, the same ballot-counting procedure is run again. Each ballot box now reports the votes cast. The stores all report the number of ballots remaining, and the front ends report the number of votes that have passed through the system. If these numbers do not match, a closer examination is needed.

Two things are crucial to note: First, the same programs are run at the opening of the polls and at the closing. Second, no matter how many times the polls are opened and closed nothing changes in the counts because the programs are only reporting tools and not initialization tools.

A more realistic case


This section will extend the system proposed above to match the requirements of a modern ballot.

There are two additional issues that must be addressed at this time: first, the problem of systems failure; and second, ensuring that the ballot deposited in the ballot box is an accurately represents the voters' markings. Both problems can be solved with minor changes to the ballot box and the addition of void-ballot tracking.

The void store holds ballots that have met one of three fates: voter void, system void, and challenge ballots. A voter-voided ballot is one where the voter has intentionally destroyed the ballot. These will not be counted. A system-void ballot is one where the system detected a flaw and presented the voter a new ballot. A challenge ballot is one where there is some question about the legitimacy of the voter. To accommodate these three conditions, the void ballot store has three chambers, one for each type of void and one for challenge ballots.

The next change is to ensure that the voting operation is atomic [Lampson1979]. An atomic transaction is one that either completes correctly recording all information or no information is stored. Returning to the clay balls: when the balls are dropped into the flagon, they either reach the bottom or an event rarely seen outside the sub-atomic world has taken place.

By dividing the ballot box into two chambers separated by a one-way trap door and altering the behavior this is feature is duplicated. The outer chamber is a holding space for incomplete ballots, the inner is reserved for completed ballots. The behavior of the ballot box is altered as follows: First, when a voter enters the booth and requests a ballot by putting their card into the machine the number of the card will now be transmitted to the ballot box. The ballot box will pair this number with the serial number of the ballot provided to the voter holding the combination in the outer chamber. Second, the act of voting will now be a two-stage process: when the voter selects "vote", the ballot is deposited in the outer holding area. The voter will then be asked to confirm the vote. If confirm is selected, the ballot will be dropped through the trap door into the inner chamber. After voting is finished, one step in closing the polls is to tell the ballot box to move all ballots from the outer chamber to the inner chamber because these are partial ballots that cannot be completed (voting is done), but they contain some partial information.

Thus the system now looks like:

The first thing that these additions allow for is the voter to intentionally void a ballot. When a voter voids a ballot, that ballot is placed in the void box and the ID card is retained by the booth. The second, and more important function of these additions, is to allow for recovery from systems failure. If a voter is interrupted at any point before the final confirm is selected, the voter card is returned, and the ballot as marked is placed in the outer chamber of the ballot box. When voters return to the booth, re-inserting their card, a new ballot is withdrawn from the store. The old ballot is looked up by the card ID and deposited in the system void ballot storage. The voter starts again. This change also accommodates the voter who leaves the booth without selecting the final confirm because this ballot is moved from the outer chamber to the inner chamber only when the poll closing is done. While subjecting the voter to refilling out a ballot appears harsh, if it is possible for a voter to return to a partially completed ballot after once exiting the voting booth, then it is possible for a third party to check that a voter has filled out a ballot correctly.

The act of getting the confirmation of the vote appears to violate the principal of not being able to see marked ballots that have been deposited while the polls are open. This difficulty is resolved by using a one-way function. These are functions that are inexpensive to run forward but very difficult to unravel. For a given input these functions will always produce the identical output. When the ballot box request confirmation, it does not send back a plain copy but rather drops the ballot through a one way function (DES for example). The booth drops a copy of the ballot through the same function and compares its encrypted version with the copy from the ballot box. If the two match, it offers the user the opportunity to confirm the vote. If the two do not match it just retransmits the ballot and the confirmation process starts all over.

This also slightly changes the opening and closing procedure because now the void-ballot store must also be shown to be empty in the beginning and both chambers of the ballot box must be shown empty as well.

When the polls are closed, the following equations should hold true:
ballot box + voter void = voters
voters + system void = original number of ballots
ballot box + void + remaining ballots = original ballots
Note: all serial numbers of the original ballots should appear in exactly one of these spots: ballot store, ballot box, void store.

Expanding to a precinct

There are two ways to expand the above system in order to meet the needs of a multi-booth polling station. The first would be to drag a set of the stand-alone machines described above into the polling station; this would work but not provide any enhancement of the current voting methods. The second option is to modify the stand-alone arrangement such that the resources are shared. This is the direction that I will proceed in.

For this example all of the machines are assumed to be in the same building, and thus the network amongst them has no outside connections. The security is provided not by hiding the network away in the walls but rather draping by it about in full public view so that anyone tampering with the cabling must do so in full view of everybody.

The first advantage of networking the machines together is redundancy of modules. To take advantage of this, we will change the modules so they no longer look to a resource on the local machine for services. For example, when voters enter the voting booth and deposit their IDs, thus requesting a ballot, the front end broadcasts a request for a ballot on the network. The first machine to respond acts as the ballot box for that voter. The ballot box then goes on the net and requests a ballot from the first ballot store that responds. By allowing the front end and ballot box to search for the resources they need, the likelihood of a full ballot box or empty ballot store closing a voting booth is greatly reduced.

The second advantage is redundancy of hardware. Computing equipment suitable for shuffling about to polling stations is subject to the dreaded whine and grind of bearings going in a hard drive or, worse, the gentle metallic plinking of a read "/" write head plowing a furrow in a hard-drive and then breaking free to join the data as a pile of twisted metal at the bottom of the case.

Only two pieces of equipment are fatal if they fail before the final count: the ballot box and the void-ballot store. If a voter front end stops working, votes, have to wait a bit longer but no information is lost. If a ballot store fails, then the vote will not be halted because the other stores on the network are the backup, and the information can be reconstructed from the starting information, the ballot boxes, and the void-ballot store. However, the ballot box and the void-ballot store contain information that may only be recovered after the polls are closed, so they must have a dynamic continuous duplication of information.

The nature of the information stored within the ballot boxes and the void-ballot store precludes any other system looking at it, much less storing it, so each of these modules must be altered to provide their own backup.

The actual modifications are remarkably simple. When a front end contacts a ballot box requesting a ballot, the master ballot box contacts a second and third ballot box and requests that for the next transaction these boxes provide redundant storage by acting as passive slaves. The two slave boxes each read all information sent to the master ballot box as if the information was its own but are silent otherwise. When voting is complete, the relationship is broken. The same method works for the void-ballot store. When the ballots are reunited, the actual votes of all ballots should agree. If they do not the discrepancy needs to be explained. This duplication of ballots points up the need for changes in voting law to implement all electronic voting. This topic is disscussed in a section at the end of this paper.

When the votes are counted, the ballots must be reunited; because the serial numbers were stored, this task does not present a problem. However, the ability to track the life of a ballot is now impaired, so the voting process must be changed.

In the original scheme, where the voting booth was a monolithic structure, if a ballot serial number appeared in the ballot box, then it must have originated in the attached store. When the modules are placed on the network, it is impossible to know which front end worked with the ballot. Thus, the progress of one ballot through the system cannot be tracked.

This problem is fairly to rectify. Each front end is assigned a unique ID that is retained as part of the ballot after it has been deposited in the ballot box. The number on the voter ID card cannot be used because this would tie the ballot to a particular voter.

When the voter enters the voting booth, the front end passes the along its ID to the ballot box when it requests a ballot, and the serial number stored in the ballot box takes the form front end ID:serial number. If a number of ballots deposited in a particular ballot box are found to be different from their counterparts in the slave store, then the route of the ballots needs to be retraced. First the serial number is recovered and then the front end ID. At this point the complete path from ballot store to front end to ballot box can be reconstructed. This should make is possible to rule out ballots that make no sense because the equipment represented by the IDs were not all in the same precinct.

The voting process:

  1. Voter collects a card from poll officials.
  2. Voter enters the booth and deposits the card.
  3. Front end asks for a ballot box from all those on the network.
    1. THe ballot box requests another ballot box to act as a silent partner.
    2. The slave units begin listening to all traffic between the ballot box and the front end.
    3. the ballot box responds to the front end and receives the front end's id.
    4. The ballot box requests and receives the voter's card number.
    5. The ballot box requests a ballot from a random ballot store.
      1. The ballot store ships a ballot to the ballot box.
      2. The ballot store deletes the serial number of the ballot from its store.
    6. The ballot box creates a three-part transaction ID for the ballot consisting of ballot serial number:voter ID: front end ID.
    7. The ballot box removes the serial number from the ballot and attaches the voter ID.
    8. The ballot box ships the ballot to the front marked only with the voter id.
  4. The voter fills out the ballot.
  5. The voter request that the ballot be deposited.
    1. The front end passes a copy of the ballot to the ballot box.
    2. The ballot box makes a copy of the ballot and then encrypts it using a pre-arranged scheme.
    3. The ballot box passes the encrypted version of the ballot back to the front end.
  6. The front end makes a copy of the ballot and encrypts it, then compares this with the one from the ballot box.
  7. If the two encrypted versions agree the front end request the voter confirm the vote.
  8. The voter confirms the vote.
  9. The front end informs the ballot box of the confirmation and destroys its copy
    1. The ballot box attaches the serial number to the ballot so the ballot is now marked with both the original serial number and the ID of the front end.
    2. The ballot box drops the ballot through the trap door into the completed store.
  10. The front end retains the user's voter ID and sets up to receive the next voter.

When the polls are closed and the votes are to be counted, another computer must be attached to the network to perform the amalgamation that yields the totals. When this information is gathered, care must be taken to ensure that none of the information about which bits of equipment touched the ballots is lost.

The steps of this program are listed below.

  1. Contact all ballot stores and collect the unused ballots, recording the box where found.
  2. Contact all void-ballot stores, joining all ballots with the same serial numbers together but preserving the routing information. Check if any ballot appears in the list of unused ballots; if so, note the error.
  3. Contact all ballot boxes, joining all ballots with the same serial numbers together but preserving the routing information. Check if any ballot appears in the list of unused or void ballots; if so, note the error.
  4. Print results assuming all ballots are correct
  5. Print out all ballots with errors, noting the condition that caused the error. These ballots will require the officials to accept or reject them. In the case of rejects, the totals must be adjusted.

Collection of polling stations reporting back to a central office

The next logical step is to leave the ballot stores, ballot boxes, and void stores all in a central location; moving only the front ends out to the precincts. To avoid the issues network security, the phone system will be used for communications rather than the Internet.

To accomplish this, a bank of phone lines is installed in the central area, each connecting to a single ballot box. This bank is represented as a single number to the outside world but the ballot box connected when calling is determined by a call distribution system. The setup is very similar to the systems used by catalog operations with 800 numbers, where any number of calls are handled simultaneously but all the customers called the same number. Each front end has a modem and a phone line. When a voter enters the booth, the front end connects to a random ballot box when the front end dials the central office. After that the transaction proceeds as described above.

The advantages of this system are

This system has a number of critical failings:

Taking advantage of the Internet


The weaknesses in a system with a single point of failure are too well documented to proceed along the lines purposed above. However, the system designed for a networked precinct forms a good basis for a system that can take advantage of the Internet after the conversion to IPv6. This system can also be adapted to allow for early voting at satellite stations.

Any precinct with the voter load to require a number of voting booths can take advantage of the Internet as it now stands to report results electronically back to the central office in addition to printing them in the precinct. When IPv6 replaces IPv4 (the current protocol of the Internet), a precinct can be joined to the central office over the Internet with a few changes.

The IPv6 version of the Internet protocol will contain three crucial additional features for Internet voting that will allow the voting software to be assured of network connectivity without the use of proprietary technology. The first feature is the ability to tie disjoint networks together so they appear local with tunneling [Conta , rfc2473]. This is not an addition to any of the machines directly concerned with the vote but rather an addition to the routers. The Internet connection will appear the same to the machines concerned with the vote no matter how connections are dropped and reestablished. The second two features, security encapsulation [Kent, rfc2406] and authentication [Kent, rfc2402], together allow the networking software to assure the voting software that the machine on the far end is the one that it claims to be and also protect the connection from eavesdroppers. Even with these additional features however,provisions should still be made for each polling station to be able to continue without connections to the Internet, just as there are provisions inplace now for polling stations that burn down mid vote or suffer other disastrous events.

Satellite voting stations
Most satellite voting stations are small operations with limited access to telecommunications facilities. By using a cell phone to provided access to the connectivity however, they can take advantage of the Internet. The satellite voting station would consist only of the front end and a stack of voter cards. The process from the voter's point of view is the same; however, when the voter enters the booth and a ballot is requested, the voting booth dials in to the central office where the rest of the system is located. The chance that a given satellite station is not functional is acceptable because the voter will have another chance on the official voting day. The ballot boxes, void-ballot store, and ballot store that are used for pre-election satellite voting must not be used on polling day to collect additional votes because they have already collected votes and thus cannot be demonstrated empty at the start of polling. After the polls have closed on polling day, these stores are reconnected to the network and there votes added to the tally.

Legal Issues

  1. In the current system of laws governing elections, the ballot has a unique instance. This is even the case with lever-activated machines. When voter is leaves the booth, the ballot is added to the total when the counters moved forward one spot. Electronic ballot exists as copy of the original that first appeared in RAM and disappeared when the system reset. In the system discussed, a copy is preserved in several ballot boxes.
  2. It must be possible to reconstruct the path of any ballot from the ballot store to its destination at the time of counting, much as the old 5 poundnotes in the United Kingdom were signed by each holder. At the same time, however, the ballot must not be traceable to any one voter. Thus, the laws must now define which modules must sign the ballot, all but the voter front end, and which must not along with the form that this signature will take.
  3. The system proposed relies on multiple copies of a ballot existing at counting time and the unification of these ballots into a single ballot. With any system of this sort, there is a chance that one or more copies of the ballot will not be in full agreement. The law must provide for a majority rule to determine the correct version of the ballot, along with provisions for printing and examining all of the copies in the case of dispute.
  4. Because software is not just the final executable, the source code for the voting system, all compilers, libraries, and the operating system used during both compilation and on polling day must be available for public inspection.
How to ensure that the actual program is not committing the fraud and covering its tracks
To encourage inspection and testing by the public, any company offering a voting system should also offer a prize for bugs found, say $100,000 for each new bug, where a new bug is one that has not been published on the corporate web page. This would have a number of effects to encourage software quality. First, to reduce financial risk, an insurance policy would be necessary; any insurer would insist on inspecting the code. Second, because a bug can be reported multiple times until it is published on the company web page, bug disclosure would become a vital part of financial management (a change from current practice). Third, the prize must be large enough to attract programs to try to find flaws in the system. Finally, by encouraging the intensive examination of the process by a large number of people and public disclosure of their findings, the underlying principle of trust through paranoia of the Australian ballot is preserved.

Bibliography

Jones, D., 2000.
Some Comments on the California Internet Voting Task Force Report of January 2000.

Lampson B. W. and Sturgis, 1979.
Crash recovery in a distributed data storage system. Unpublished technical report, Xerox Palo Alto Research Center, June, 1979

Kent S. And Atkinson R. 1998
IP Authentication Header RFC 2402 RFC 2402 November 1998

Kent S. And Atkinson R. 1998
IP Encapsulation Security Payload RFC 2406 RFC 2406 November 1998

Deering S. and Hinden R. 1998
Internet Protocol Version 6 (IPv6) RFC 2460 RFC 2460 December 1998

Conta A. and Deering S. 1998
Generic Packet Tunneling in IPv6 RFC 2473 RFC 2473 December 1998

Edward W Sihler (esihler@cs.uiowa.edu)

This page was last modified on .

Back to the Department of Computer Science