Stefan Popoveniuc

An introduction to punchscan

PunchScan is a precinct-read optical-scan balloting system that allows voters to take their ballot with them after scanning. This does not violate the secret ballot principle because the ballots cannot be read without secret information held by the distributed authority in charge of the election. In fact, this election authority will publish the ballots for everyone to see, allowing voters whose ballots were incorrectly omitted to complain. PunchScan vote-counting is performed in private by the election authority – who uses their secret information to decode the ballots – but is verified in public by an auditor.In this paper we describe how and why PunchScan works. We have kept most of the description at an outline level so that it may be used as a straw model of a cryptographic voting system.

Securing optical-scan voting

This paper presents a method for adding end-to-end verifiability to any optical-scan vote counting system. A serial number and set of letters, paired with every candidate, are printed on each optical-scan ballot. The letter printed next to the candidate(s) chosen by the voter is posted to a bulletin board, and these letters are used as input to Punchscans verifiable tallying method. The letters do not reveal which candidate was chosen by the voter. The method can be used as an independent verification mechanism that provides assurance that each vote is included in the final tally unmodified—a property not guaranteed by a manual recount. We also provide a proof-of-concept process that allows the election authority to settle disputes after the polls close while preserving ballot secrecy.

Accessible Voter-Verifiability

Abstract All voter-verifiable voting schemes in the literature require that the voter be able to see and to mark. This paper describes modifications to the Prêt à Voter and PunchScan schemes so that a voter who can either see or hear, or both, independent of marking ability, may avail of voter-verifiability without revealing her vote. The modified systems would provide privacy and integrity guarantees that are currently available only to voters who can both see and mark.

Paperless independently-verifiable voting

We present a new model for polling-booth voting: the voter enters the polling booth with a computational assistant which helps her verify that her vote is correctly recorded. The assistant interacts with the voting system while the voter votes on the machine in the polling booth. We present an independently-verifiable, coercion-resistant protocol based on this model. Unlike all other independently-verifiable protocols, this one is completely paperless and does not require the voter to perform any tasks outside the polling booth. We provide property definitions, rigorous claims and a description of a prototype.

A simple technique for safely using Punchscan and Prêt à Voter in mail-in elections

We apply a technique inspired by Scantegrity to Punchscan and Pret a Voter and show how this results in a mail-in ballot system that is auditable, simple to use and easy to understand.

Clearvote: an end-to-end voting system that distributes privacy between printers

In many end-to-end voting systems there is a single entity that produces each ballot. This entity can be the printer in the case of paper ballots, or the voting machine in the case of an electronic interface. While not able to change election results, this powerful entity has access to confidential information and can reveal selections made by the voters which, along with the voters identities, can compromise the secrecy of the ballot. We propose ClearVote, a new end-to-end voting system that has no single entity that can reveal ballot selections. The ClearVote ballot has three sheets of transparent plastic, each sheet coming from a different printer. Assuming no two printers collude, there is no single entity with enough knowledge to reveal ballot selections.

Corrections to “Scantegrity II: End-to-End Verifiability by Voters of Optical Scan Elections Through Confirmation Codes” [Dec 09 611-627]

Scantegrity II is an enhancement for existing paper ballot systems. It allows voters to verify election integrity - from their selections on the ballot all the way to the final tally - by noting codes and checking for them online. Voters mark Scantegrity II ballots just as with conventional optical scan, but using a special ballot marking pen. Marking a selection with this pen makes legible an otherwise invisible preprinted confirmation code. Confirmation codes are independent and random for each potential selection on each ballot. To verify that their individual votes are recorded correctly, voters can look up their ballot serial numbers online and verify that their confirmation codes are posted correctly. The confirmation codes do not allow voters to prove how they voted. However, the confirmation codes constitute convincing evidence of error or malfeasance in the event that incorrect codes are posted online. Correctness of the final tally with respect to the published codes is proven by election officials in a manner that can be verified by any interested party. Thus, compromise of either ballot chain of custody or the software systems cannot undetectably affect election integrity. Scantegrity II has been implemented and tested in small elections in which ballots were scanned either at the polling place or centrally. Preparations for its use in a public sector election have commenced.

Secure Electronic Voting: A Framework

Abstract We describe a single framework in which to view the end-to-end-independently-verifiable (E2E) polling-place voting systems with a mixnet back-end. We use the framework to invent new systems that combine front and back-ends from existing systems.