J.A. Goler and E.J. Selker
                          94
                          This factor accounts for the need to collect the ballots from the previous stage
                          modules.
                                                 n
                            F M =1 − (1 − f comm)     n    (1 − F n,m )(1 − A n,m )    (F n,m A n,m )  (3)
                                                     u
                                                u=t      u                    ∀U
                          With storage (caching) of intermediate ballots, SAVE modules can batch up and
                          transmit ballots at a later time if the network connection fails or is intentionally
                          disrupted.
                          6   Discussion
                          6.1  Cost Considerations
                          The primary objection to the N-version programming SAVE in general is the
                          additional cost of building independent modules, platforms, and their respective
                          certification. This consideration is dealt with in SAVE by the specification of
                          small modules and the communication protocol such that modules are small,
                          easy to understand, and less able to obfuscate faulty or malicious code. The
                          platforms (the computer, operating system, and possible libraries/environments
                          such as Java) may already be certified and examined. Code can be made available
                          online for review by anyone at minimal cost.
                            Given that an entire top-to-bottom system was written by Soyini Libud at
                          MIT [18] in less than a year, it is clear that companies and interest groups with
                          modest budgets [17] (less than the cost of a full page ad in the New York Times)
                          can write a SAVE module. Furthermore, instead of having large companies that
                          build end-to-end proprietary voting systems, a wide community of developers
                          could flourish.

                          6.2  Improved Security
                          One of the most vulnerable parts of any system is the communication channel.
                          In SAVE, messages are passed in encrypted versions of plaintext XML. This ar-
                          rangement produces messages that often have the same format and even content.
                          Depending on the security of the cryptography implementations, these repeti-
                          tious messages might harm security.
                            The cryptographic keys could also be compromised by election officials. One
                          method of dealing with this problem is issuing distributed keys, in which each
                          individual does not have the entire key, and it takes a number of officials to
                          collude in order to compromise the election. However, the extent to which the
                          official would need to collude would also preclude a valid result in any other
                          election scheme.

                          6.3  Transparency
                          One of the principles governing security of voting is the privacy of the ballot.
                          A vote should not be traced back to the voter. This property is important as a
                          defense against coercion, bribery and threats against a voter. One of the benefits
                          of using cryptographic security is the ability to provide encrypted receipts to