[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

EP1979852A2 - Ballot integrity systems - Google Patents

Ballot integrity systems

Info

Publication number
EP1979852A2
EP1979852A2 EP06803339A EP06803339A EP1979852A2 EP 1979852 A2 EP1979852 A2 EP 1979852A2 EP 06803339 A EP06803339 A EP 06803339A EP 06803339 A EP06803339 A EP 06803339A EP 1979852 A2 EP1979852 A2 EP 1979852A2
Authority
EP
European Patent Office
Prior art keywords
voter
ballot
voters
votes
vote
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP06803339A
Other languages
German (de)
French (fr)
Other versions
EP1979852A4 (en
Inventor
David Chaum
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of EP1979852A2 publication Critical patent/EP1979852A2/en
Publication of EP1979852A4 publication Critical patent/EP1979852A4/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C13/00Voting apparatus

Definitions

  • the present invention relates generally to election systems and more specifically to security and privacy in such systems.
  • ballot secrecy Another issue in voting systems is ballot secrecy, which should prevent other than the voter from learning how the voter voted, with or without cooperation of the voter.
  • the form used to capture the vote does not bear the cleartext vote but rather an encrypted vote. For instance, this allows those transporting ballots and polling place scanners to be kept from learning the cleartext votes.
  • Partly related, at least in some settings, is the issue of to what extent ballots voted by different groups are readily distinguished. 1
  • Substances added to ballots can have environmental and/or toxic effects and be problematic for 2 recycling, and thus may have additional costs and/or be undesirable in some settings.
  • the present application is in one aspect oriented towards obtaining the advantages of encrypted ballot/receipt systems for voters who cannot read the ballots and/or mark it. This is directed at attendance voting settings using machine-read ballots, such as where voters vote at polling places s using so-called "optical scan" systems.
  • the first approach may be called "human assisted" marking, and varies by jurisdictions. It does not provide autonomy, because one or more persons assist the voter in the act of voting. Some jurisdictions, for example, require voting with the assistance of a poll worker, who typically is to read the ballot aloud to the voter and to record the 4 responses uttered by the voter. Unfortunately, it may be particularly difficult for a blind person to ascertain with certainty who overhears their votes.
  • the second known approach may be called “automated” marking, such as with machines developed by Vogue Election Products & Services of Glen Ellyn, Illinois. These are essentially so-called “DRE” (Direct Recording Electronic) 5 voting machines. Instead of recording the vote electronically for later transmission by those running the election (often through a physical device anyway such as a memory card), however, they print the vote as a form that is provided to the voter for casting. In some cases a pre-printed form may be scanned in or otherwise loaded by the device and only the 9 votes are marked on it by the device's print engine; in other cases the form may be rendered and printed completely by the device. In addition to audio voting interaction, as with DRE's, displays may offer enlarged or otherwise enhanced images readable by those who would not be able to read the ballot directly.
  • DRE Direct Recording Electronic
  • 3 audio capability generally is that sited but illiterate voters can also use it. Furthermore, it is believed often less costly, time consuming and cumbersome to generate audio in various languages compared to typesetting and laying out corresponding forms. There are, however, believed to be substantial procurement, storage, and transportation costs, as e well as reliability issues for such hardware devices, which apparently integrate printers and scanners with touchscreen user interfaces. A fundamental shortcoming of the approach generally is believed to be that, even in the best case, when the device marks standard ballots, the ballots are readily recognized as having been marked by machine.
  • the third approach may be called that of "tactile" marking.
  • Braille ballots can only be used, however, by the small fraction of the blind population (believed sometimes estimated at roughly 5% of the legally blind in the United States) who are currently able to read Braille adequately. Of course the ballots would also stand out as 2 having been voted by the blind. A hybrid Braille and ink ballot would address this issue, but would not be very practical, as it would greatly increasing the size, thickness, handling difficulty, and cost of ballots and processing.
  • the other major example of the third approach relates to the so-called “tactile ballot 5 templates.” These are believed to at least have been used, for example, in public sector elections in Rhode Island, Canada, Peru and Sierra Leone. They provide in essence what may be called a "guide,” such as a sheet of relatively rigid material held in alignment with the ballot paper, which includes openings where marks are allowed. In addition to the tactile s nature of those openings themselves, other tactile indications are included formed in the guide, such as in Braille or simpler codes. An audiotape or the like is typically provided that informs the voter of which candidates or question responses correspond to which coded openings on the guide.
  • the audio aspect brings with it the advantage, already 1 mentioned earlier, that sighted voters who are illiterate or wish a language that is not available in printed form can use the system to vote. Such an approach is believed attractive for unencrypted votes.
  • the tactile audio approach does not provide voters using it with the integrity and secrecy protections of the 4 encrypted vote/receipt systems mentioned earlier. For instance, voters are unable to check, after leaving the poling place, that: they were provided with correct information about what to mark, that their marks are accurately scanned, and that the scanned values are properly included in the final tally.
  • readable ballots do not provide the 7 secrecy advantages of encrypted ballots, such as: for handling while in a polling place or for so-called provisional ballots or what may be referred to as "vote-from-any-precinct," which both require that the voter identity be linked to ballots during protracted handling/processing.
  • objects of the invention in this aspect include bringing advantages of encrypted ballot and/or receipt systems to audio tactile ballots at polling places and other settings, including audio assisted and assistant-marked balloting generally.
  • 3 A further aspect relates to processing of encrypted votes.
  • Known voting systems make extensive use of sophisticated types of cryptographic functions and protocols (such as, for instance, public key, secret-shared homomorphic systems), limiting the ease with which they can be widely understood by the public.
  • Those previously 6 proposed by the present applicant are believed to have privacy substantially exponentially good in the number of rounds and detection of cheating substantially exponentially high in the number of votes improperly changed.
  • a system introduced here offers substantially perfect privacy and probability of detection of improper changes exponential in the number of rounds (in a similar underlying model). The amount of 3 computation and data storage is reduced, while maintaining strong integrity properties. Moreover, it optionally only uses a basic type of encryption, that is believed more familiar to and more readily understood by the public.
  • Encrypted vote systems are known in which voters mark paper ballots and retain receipts that allow them to check ⁇ online that their votes were recorded correctly. Privacy and secret ballot properties have been provided, although there is room for improvement in this regard. Some systems have a single entity that performs operational aspects and that obtains as a consequence special access to privacy of votes. In some systems and settings, the checking information posted can 9 reveal some information about the vote to other than the voter.
  • Carbon paper and so-called carbonless paper are well known for making copies of marks made on forms, such as 8 those made by voters.
  • One known problem with such techniques, however, is that the original may be apparently well marked, but the copy does not come through well.
  • demand printed ballots physical structure related to so-called
  • ballot style such as holes or scratch-off may be problematic and can lead to general formats that are less than optimal 1 in terms of clarity, economy, and aesthetics. Moreover, demand printed ballots are ideally substantially indistinguishable from those printed otherwise. Physical structures have increased associated direct and handling costs.
  • a related technology is envelopes and/or material layers, such as covering sheets O adhered in place or the like. So-called “scratch-off layers typically formed from materials including latex on paper cardstock or the like are known and familiar to the general public particularly because of their use in lotteries and the like.
  • ballot secrecy is maintained in some cases including even if the voter does not follow procedures and in some cases including side information and/or virtual transmission of ballots, using scratch-off and/or other removable layers. Desired would be 0 forms that allow the voter to discover codes that can be authenticated as valid when supplied over telephone or Internet, in part at least because the forms need not by physically transported back to, and then also process when received by, those running the election. Control of access to attendance voting is typically done through the known device of a physical poll book, which are being replaced in some jurisdictions by automated and even online systems. Verification by voters, however, is 3 cumbersome with manual poll books, since the information is often neither optimally complete nor well organized for the task at hand. As with voting machines, automated registration systems provide little transparency to voters.
  • voters who are to be allowed to vote in a polling place are displayed in the sequence e in which they are admitted, at least the most recent part of the display being visible to voters.
  • Certain sensitive information such as private addresses and/or signatures on file, is allowed to be viewed by voters present.
  • the poll book is on paper, in others it is automated, and in yet others the book for the particular polling 9 place is in paper but automated information is available for other polling locations within some political subdivision.
  • Objects of the present invention in one aspect, accordingly, include secure receipts whose size is substantially independent of the number of contests or questions and that accommodate write-in votes without in-booth automation.
  • Another object in some embodiments, is an augmentation of manual encrypted vote systems to include write-in vote without introducing additional automation to be used by voters.
  • a further object at least in some embodiments, is less reliance on cryptographic techniques and in particular a receipt-to-ballot linking that cannot be learned by compromise of i such techniques.
  • the present invention aims, accordingly and among other things, to provide novel and improved voting and related 4 systems. Transparent integrity, ballot secrecy, usability, accessibility, and robustness in such systems are important goals generally. Objects of the invention also include addressing all the above mentioned as well as providing practical, robust, efficient, low-cost election systems. AU manner of apparatus and methods to achieve any and all of the forgoing are also 7 included among the objects of the present invention.
  • FIG. 1 is a combination plan, schematic, and layout diagram of an exemplary embodiment of a punchscan ballot in accordance with the teachings of the present invention.
  • Figure 2 is a combination block, schematic, flow, diagram of an exemplary embodiment of a overall punchscan election 3 in accordance with the teachings of the present invention.
  • Figure 3 is a combination block, schematic, flow, diagram of an exemplary embodiment of a punchscan ballot production in accordance with the teachings of the present invention.
  • Figure 4 is a block diagram and flowchart of an exemplary embodiment of a punchscan ballot demand printing in accordance with the teachings of the present invention.
  • Figure 5 is a combination block, flowchart, schematic of an exemplary embodiment of a first disabilities friendly voting system in accordance with the teachings of the present invention.
  • Figure 6 is a combination block, flowchart, schematic of an exemplary embodiment of a second disabilities friendly voting system in accordance with the teachings of the present invention.
  • Figure 7 is a combination block, flowchart, schematic of an exemplary embodiment of a third disabilities friendly voting system in accordance with the teachings of the present invention.
  • Figure 8 is a combination block, flowchart, schematic of an exemplary embodiment of a fourth disabilities friendly voting system in accordance with the teachings of the present invention.
  • Figure 9 is a combination block, flowchart, schematic of an exemplary embodiment of an untrusted-assistant disabilities friendly voting system in accordance with the teachings of the present invention.
  • Figure 10 is a combination block, flow, data, and cryptographic protocol diagram of an exemplary embodiment of a mixing system in accordance with the teachings of the present invention.
  • Figure 11 is a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of a mixing system in accordance with the teachings of the present invention.
  • Figure 12 is a combination schematic and plan view of an exemplary embodiment of two-sheet combination ballot in accordance with the teachings of the present invention.
  • Figure 13 is a combination schematic and plan view of an exemplary embodiment of three-sheet combination ballot in accordance with the teachings of the present invention.
  • Figure 14 is a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of a combination disability friendly voting system in accordance with the teachings of the present invention.
  • Figure 15 is a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of an untrusted-assistant combination disability friendly voting system in accordance with the teachings of the present invention.
  • Figure 16 is a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of a two- party mixing system in accordance with the teachings of the present invention.
  • Figure 17 is a combination schematic and plan view of an exemplary embodiment of a carbonless ballot form in accordance with the teachings of the present invention.
  • Figure 18 is a combination schematic and plan view of an exemplary embodiment of a sticker palette and associated ballot form in accordance with the teachings of the present invention.
  • Figure 19 is a combination schematic diagram and plan view of an exemplary embodiment of a ballot form including printing above scratch-off layers in accordance with the teachings of the present invention.
  • Figure 20 is a combination block, flow, functional, schematic diagram, of an exemplary embodiment of a paper-based polling-place sign-in and forms in accordance with the teachings of the present invention.
  • Figure 21 is a combination block, functional, schematic diagram, plan, and pictorial view of an exemplary embodiment of a partly automated paper-based polling-place sign-in and forms in accordance with the teachings of the present invention.
  • Figure 22 is a combination block, functional, schematic diagram, plan, and pictorial view of an exemplary embodiment of a manual paper-based polling-place sign-in and forms in accordance with the teachings of the present 3 invention.
  • Figure 23 is a combination schematic and plan view of an exemplary embodiment of an interfoil and counterfoil arrangement in accordance with the teachings of the present invention.
  • Figure 24 is a combination schematic and plan view of an exemplary embodiment of a counterfoil overlay arrangement in accordance with the teachings of the present invention.
  • Figure 25 is a combination schematic and plan view of an exemplary embodiment of a sticker interfoil arrangement in 9 accordance with the teachings of the present invention.
  • Figure 26 is a combination schematic and plan view of an exemplary embodiment of a split foil arrangement in accordance with the teachings of the present invention.
  • Figure 27 is a detailed flow and block diagram related to an exemplary embodiment of a ballot with write-in in accordance with the teachings of the present invention.
  • Figure 28 is a plan and schematic view of an exemplary embodiment of a ballot with write-in in accordance with the 5 teachings of the present invention.
  • Figure 29 is a detailed flow and block diagram related to an exemplary embodiment of a ballot with write-in in accordance with the teachings of the present invention.
  • Figure 30 is a detailed plan and schematic diagram of an exemplary punchscan ballot with write-in in accordance with the teachings of the present invention.
  • Figure 31 is a detailed plan and block diagram of an exemplary ballot with write-in in accordance with the teachings of i the present invention.
  • voting systems based on paper ballots that provide integrity of the election outcome through the 7 novel use of encrypted votes and other techniques.
  • forms are disclosed that allow encrypted votes to be me marked and audited by voters and tallied by those running the election subject to public audit.
  • One example form type is comprised of two substantially overlaid 0 layers, with holes in the upper layer exposing indicia printed on the upper surface of the lower layer. Symbols are substantially randomly associated, per ballot, with candidates on the top layer and placed in substantially random hole positions on the bottom layer. Voters find the symbol next to the candidates of their choice on the lower layer and mark 3 both around and through that corresponding hole.
  • Another example form type is a carbonless form with cooperating surfaces facing each other. Substantially random positions of candidates are printed on the top layer. Voters fill ovals next to the candidate of their choice on the top layer s and the mark is transferred, with special identical so-called self-contained carbonless coatings, to the bottom of that layer and substantially equally to the top of the lower layer, which serves as a receipt.
  • the top sheet is a conventionally-marked and humanly-readable cleartext ballot, and when it is scanned full duplex, the marks on the receipt layer are substantially 3 verified as matching.
  • Yet another example form type uses techniques somewhat related to known adhesive-label voting, but adapted to encrypted votes so that the choice of which sticker corresponds to which vote is hidden after it is voted, because the 6 association of sticker symbols to candidates is made by indicia printed where the label is adhered to the ballot when voted.
  • the release-coated pallet from which stickers are chosen by the voters servers as a receipt because it is missing the symbols/stickers that encode the votes, but which missing symbol corresponds with which vote is hidden.
  • voters 9 are able to audit other unused positions/ballots to ensure the correspondence of the printing to committed/posted data.
  • Still another example uses techniques somewhat related to known scratch-off voting, but adapted to encrypted votes.
  • voters remove a region of latex that has the mapping between other regions and votes on it, in order to 2 reveal a first part of a code. Then the voter removes the latex from the region indicated by the destroyed indicia to obtain another part of the code.
  • the physical form optionally is maintained by the voter, while the codes are transmitted by the voter to the election system. Commits to the codes are opened, revealing that they are authentic and locking in the 5 encrypted vote that is also receipted by the pattern of removed latex.
  • voters are able to audit other unused positions/ballots to ensure the correspondence of the printing to committed/posted data.
  • voters with various disabilities are provided facilities allowing them to readily vote with systems 8 such as those just described.
  • a blind voter hears through headphones how to mark the particular ballot by utterance of candidate names associated with tactile positions. What is heard is committed to in advance, optionally in parts, and the voter is able to select some such commits to be opened for audit.
  • Voters who can read but not mark can ! communicate what are in effect "encrypted marking instructions" to an assistant, and these are preferably also recorded.
  • Assistants in some examples mark actual ballot parts as a voter would, or where this would reveal 4 the vote to the assistant, through privacy shields or using generic forms.
  • Some example systems disclosed have symmetry allowing the ballot to be divided in two after it is marked and the voter to keep either part as a receipt.
  • Other example systems develop a cleartext readable ballot and encrypted vote 6 receipt as a result of a voter marking selected candidates with a single mark.
  • Other examples produce an encrypted receipt and an encrypted vote, where the encrypted vote is preferably sent in for counting and the receipt retained by the voter.
  • Still other systems turn a ballot into an encrypted receipt that bears authentication codes that can be used to vote remotely.
  • the first two are particularly well suited to attendance voting, as well as mail in.
  • the third is believed attractive primarily for mail-in voting as it does not require special tools to mark and produces an encrypted ballot.
  • the fourth is well suited to remote voting where a physical ballot is not returned by the voter. 2 Extensions relate to some or all the example systems.
  • the underlying cryptography can be achieved without using any primitive other than basic commitment, such as encryption with a key that is later revealed when/if the commit is to be opened. Voting by the blind and those who have difficulty making marks is achieved for the first two mentioned s systems, which are attractive for attendance voting.
  • Write-in capability for attendance and remote voting systems is achieved in a way applicable to all the systems.
  • a voting system with audio presentation of voting options, at i least two different audio channels potentially played to a voter, where each voter is able to take for verification and without compromising privacy at least a copy of at least one of the channels and the choice of which channel the voter will take is substantially unpredictable to the system and the channel contents substantially previously committed to.
  • a voting system with at least one potential confidential presentation to a voter, related to at least a commitment to at least one such potential confidential communication, and where the voter communicates signals to an assistant to indicate where the assistant is to make marks and at least one potentially 7 confidential presentation is auditable without compromising voter privacy.
  • an encrypted vote system based on cryptography comprising substantially only commitments to values, where it is verifiable to the public based on accepted random challenges that encrypted votes o result in the cleartext tally with substantial probability but substantially not which ballot corresponds to what contribution to the cleartext tally.
  • a voting system in which receipts substantially authenticated by at least some 3 parties conducting the election include substantially a code that allows an online version of the form submitted by the voter to be viewed in the correct way but where different codes would correspond to different choices being viewed.
  • voting system in which at least two parties each have substantially separate secrets 6 needed to determine the correspondence between ballot forms and results and said two parties are involved in printing.
  • a paper ballot system in which provision is made for a voter to remove a substantially self-adhesive element from one part of at least a related form and apply at least a part of the element to at least a part of at least a related form and where: (a) the vote is hidden in the resulting combination from view by the public having access to completed unvoted forms; or (b) voters being supplied substantially more than one part per choice and opening substantially previously committed values to substantiate that at least some of the parts supplied have corresponding indicia; (c) commits are made to parts of the information on the form, some of which are selected for opening during audit; or (d) establishing based on audit that the tally substantially reflects the votes cast.
  • a voting system with choice determined by indicia destroyed to reveal coded votes including: establishing based on audit that the tally substantially reflects the votes cast; or voters being supplied substantially more than one part per choice and opening substantially previously committed values to substantiate that at least some of the parts supplied have corresponding indicia; or establishing based on audit that the tally substantially reflects the votes cast.
  • a polling-place sign-in system that exposes a substantially fixed number of chronologically preceding sign-ins to the next voter signing in.
  • committed form substantially microstructure region signatures of forms and later selectively opening at least some of said commitments.
  • the punchscan system described with reference to Fig 1 and 2 will be described first more generally. It uses two or more layers.
  • the material is opaque or transparent or translucent.
  • nesting holes for instance, allow all three to be marked and the middle one can be used for recording the positions and the voter can keep one of the two outer layers.
  • both those not kept by the voter are separately sent in or collected and posted as encrypted votes, the redundancy providing protection against loss and also revealing cheating.
  • Marking means is for instance by application of ink or activation of coatings or mechanical deformation. Ink can be, for instance, by dauber or stamp or pen or pencil.
  • Holes are formed such as by drilling, punching, die-cutting, laser cutting. They can be pre-formed in a way customized to a particular ballot layout or in a more generic way that may have some unused holes but that preferably also allows demand printing of ballots. Round holes per symbol or slots for multiple symbols are examples. More generally, whatever shape combination, called here a "provision,” allows one or more symbols to be seen and records a mark on the upper layer as well as the lower layer indicating the position of the mark. As an example, an edge of one sheet exposes a portion of the sheet below, with marking optionally straddling the edge. The shape of the hole optionally, in some embodiments, encodes all or part of the symbol. Perforation or adhesive or mechanical joining holds parts but is separable.
  • a tamper-evident aspect to the separation can protect against combining improperly and also can keep the identifying information hidden at least until after the voter fills the forms, such as that described with reference to Figs 23 through 31. Tamper proof tape is known and optionally is applied to adhere parts together.
  • Perforation along fold line along leading edge allows processing through paper handling equipment, such as demand printers. This can print the top layer and through the holes to the lower layer at the same time, such as with a conformable rubber belt of a laser printer or inkjet printing or various kinds of thermal printing. A leading fold line with or without e whole or partial or crossing perforation patterns is also anticipated.
  • the scanner at a polling place or where absentee ballots are received optionally reads the identifying information on one layer and determines the other layer and provides authentication of both that other layer and the mark position 9 information read.
  • voters are optionally allowed to see the scanned image and preferably then also indications on it of how the marks are interpreted, such as whether recognized, overvotes, or stray.
  • a "double sided" version in one example, allows voting by flipping the still attached layers over. Holes in one layer 2 preferably do not line up with those on the other layer, so there are no holes through the laminated layer arrangement.
  • the identifying numbers on the two layers are anticipated to be marked or encoded in various forms, such as human readable or based on steganography. In some examples, all or parts of a number are to be the same and they are preferably s punched through so that this property is readily apparent to voters.
  • Printing is preferably done by three separate entities, one for each layer and a third that places the number on both layers. In other examples, two separate printers are used and the numbering is that supplied by each. It is believed that 8 with only two, a security audit of actual printed forms is one way to detect that the wrong layers are paired. With three printers, the third printer in some examples applies a common serial number that the voter can the readily recognize is the same on both layers and that a security audit of the paper to ensure layers are combined properly is obviated.
  • Other 1 example ways to reduce the need for such audit include: letting the voter choose which serial number to take independently of which layer, such as by perforated tabs that can be left attached to either layer; letting the voter choose some digits of the serial numbers from one layer to mark on the other layer; providing for multiple hole locations and/or 4 indicia positions so that mismatched layers cause improper marking; and so forth.
  • a single entity prints the forms completely.
  • different machines and/or entities do parts of the printing.
  • a machine can be assumed to not record information that it has access to, such as 7 because it is unable to read that information or its structure is such that it does not retain that information even if it processes it.
  • parts of the form may already be printed and the device unable to read those.
  • Some devices may read limited information from other devices and then print, such as a common serial number o applying device.
  • Two or more entities can each form their own "onions" to allow the decryption, mixing, audit and posting of the final result. Each gets what it needs from communication with the other. Layers of a form are optionally divided into parts that are processed by separate entities. 3
  • FIG. 1 a combination plan, schematic, and layout diagram of an exemplary embodiment of a punchscan ballot in accordance with the teachings of the present invention will now be described in detail sufficient for 6 those of skill in the relevant art.
  • Figure IA and IB are views before voting, laminated and separated respectively; figures 1C and ID are similarly views after voting, laminated and separated respectively.
  • a single contest between three candidates is shown for clarity and concreteness.
  • the voted ballot shows a vote for the first candidate named, as an 9 example and uses a dauber style of filled circle marking.
  • Fig IA depicted is 3 what the voter would see when the ballot is in the laminated and still un-voted state.
  • each candidate name has an uppercase letter next to it, an example of a symbol.
  • the same three uppercase letters are seen, in the example in a different order.
  • the orderings are preferably apparently e random, it is anticipated that there is probability that they would be the same on some ballots.
  • the serial number is visible to the voter both as printed on the upper layer and as visible on the lower layer through the cutout.
  • the two layers of the example are shown side-by-side. What is not shown for clarity and readability of the figures is that the lower layer is preferably formed from the same sheet and its upper face seen through 2 the holes is actually the back face of the sheet.
  • a preferred fold line is across the top, with a co-extensive perforation score line.
  • the ballots feed through with the folded edge leading and so are not as likely to get separated into two sheets as if they were fed through with two separate edges leading (especially those s opposite the fold line).
  • the overall mark by the voter is shown as an approximate circular disc of transparent ink. 8
  • a mark can be made using a bingo dauber or a rubber stamp or the like.
  • a similar mark can be made using ordinary writing instruments, such as by putting a cross through the whole structure.
  • the voter may be free to only mark one or the other form, the one that i is to be turned in. This is believed to have some privacy advantages.
  • Fig ID the voted layers are shown separately.
  • the mark circle that was inked through the hole is on 4 the lower layer and the marked ring with the hold punched out from it on the upper layer.
  • the other indicia are as before.
  • Jojo Nobo The reason is that Jojo has the symbol "C" next to his name and that symbol appears on the bottom layer in the middle hole, and the middle hole is the one that was 7 marked with the circle. It is believed that looking at either layer separately does not reveal who was voted for; it is in the combination that the vote is readily seen.
  • the marking of the middle circle either layer records the particular vote, it is believed, as a consequence of the commits to the overall structure.
  • the first or left circle would o constitute a vote for Ms. Fum and the right or last circle for Mr. Mahoney.
  • FIG 2 a combination block, schematic, flow, diagram of an exemplary embodiment of a overall 3 punchscan election in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Included are two different kinds of voting, either or both of which could be used in a particular election or related use scenario. Three stages precede the physical creation of the ballots and then there are the 6 two types of voting and the final processing in two stages.
  • the process begins in step 10201 and then box 10240 indicates that for each layer the arrangements of the symbols and so-called onions, being the example used for clarity in the descriptions without 9 limitation, known in the art for mix-based elections are constructed.
  • the values of the layers being the arrangements of symbols and the serial number or other identifying information, are preferably committed to, such as in the cryptographic sense.
  • 10242 is a so-called "proof process step that preferably is able to convince a various parties that the commits are at least substantially correct with at least substantially high probability.
  • One example shown for clarity, but without limitation, is the opening of a random selection of the layers so that their structure can be checked.
  • box 10260 indicates that the ballot forms are physically created such as by printing and punching and perforating and folding. These use the committed to data that was not revealed, if any was revealed, in step 10242. Some further examples of this step are included in Figures 3 and 4. 9
  • the voter allows the system to make a copy, such as by scanner or digital camera, of the layer that the voter will keep; the other layer is preferably verifiably destroyed. This is shown in box 10262. Then box
  • 10264 shows that the ballot obtained from the voter can be posted and/or signed or otherwise provided with a way to 2 confirm its authenticity.
  • the voter provides the system with one actual layer and the voter retains the other actual layer.
  • Examples are mail-in ballots and polling places that are not equipped to copy and/or destroy layers.
  • a novel s inventive feature of the present invention is that the layer the voter keeps can be re-constructed from the layer retained by the system. This then allows the systems to post and/or other wise provide authentication of the layer taken. It will be understood that this is preferably done in a way that strips away unnecessary detail, such as the particular imperfections in s marks or alignment or uncounted marks and the like. The main thing to be gleaned from the layer the system has is which holes are marked and the identity of the layer.
  • the system looks up the corresponding other layer by the serial number, such as when they are identical or maps them if they are not, and then opens the commit to the layer 1 held by the voter and uses the onion of that layer.
  • the rendering provided in the authentication includes the locations of the holes marked.
  • Box 10280 presents the step of forming the tally from the encrypted votes, as is known in some example systems 4 and could readily be adapted here for use with a single layer and its onion.
  • the audit and verification 10290 then provides
  • FIG. 3 a combination block, schematic, flow, diagram of an exemplary embodiment of a o punchscan ballot production in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art.
  • the paper or other media is marked 10320 by a first device or entity.
  • web fed processing is preferably used until a late stage; in other examples, 3 processing is largely sheet fed.
  • a second example entity marks the ballots as they flow by, as indicated in box 10330.
  • the ballots are given process serial numbers to ensure synchronization from stage to stage, but these are then removed later so that an entity knowing only one layer, for instance, does not learn the identity of that layer o from the other layer if shown or posted.
  • the printing devices can be assumed not to retain data that they should not; in other examples, they are assumed to retain the data and more care is needed in dealing with them, although the assumption itself is easier to ensure.
  • Box 10340 indicates a third entity that marks numbers that will be retained on the layers. In some examples the same number is marked on both layers, such as preferably by perforation through both, although this may be done with 3 advantage after the folding 10370 for better alignment of layers.
  • box 10350 indicates that the cutouts and holes are preferably formed, while still a web and after printing. At this time, also whatever perforation e 10360 is made. Then box 10370 indicates that the forms are cut into sheets and/or trimmed of serial numbers and then folded or otherwise laminated.
  • Box 10301 is the start of the demand printing.
  • the process typically includes a request 2 for a ballot and also the form that has been pre-punched as input as indicated in box 10420.
  • the ballot is printed as indicated in box 1030, including optionally through the pre-punched holes mentioned. Then box 10440 indicates that the resulting ballot is ready for use and the process ends 10402. 5
  • FIG. 5 a combination block, flowchart, schematic of an exemplary embodiment of a first disabilities-friendly voting system in accordance with the teachings of the present invention will now be described in s detail sufficient for those of skill in the relevant art.
  • the voter in the booth hears the audio through transducer means shown as headphones 20101.
  • the voter preferably is provided with ballot form 20110 to mark while hearing the audio.
  • Each of the audio and paper are shown in two parts: the audio is divided between track or channel "A" and track or 1 channel "B,” shown for clarity as being provided by separate transducers 20101a and 20101b, respectively; the paper is initially in two sheets, the upper labeled "A” and the lower labeled "B," 20110a and 20110b, respectively.
  • the "scripts" for each audio track that is the text corresponding to what the voice on the track reads, are shown in 4 schematic form: the script for channel "A” is shown as dotted box 20130a; that for track “B” similarly as 20130b.
  • the dotted arrows between the two scripts are intended to suggest the lines that are simultaneously on both tracks and the temporal interleaving and pacing of the other lines.
  • arrow 20140 indicates by arrowheads at both ends that 7 the line of each script 20130a and 20130b are the same and that they are to be read at the same time on both channels, so that they are recorded on both tracks.
  • the voter hears through both ears a voice say "Serial number three four three four.”
  • line 20141 indicates that again simultaneously a second line, in this example a contest identifier, similarly is 0 read on both channels.
  • Arrow 20142 indicates that relatively quickly after candidate name "Joe Man” is read on channel "A" from script 20130a, the location of the 3 corresponding hole is audibly indicated, such as by script 20130b calling for a voice to read "position three.” After this, a relative pause is indicted by the wiggle in arrow 20143, before the next candidate/position pair is read, as this phrasing is believed to be a convenience for voters and to provide a kind of punctuation.
  • the voter wishes to 6 vote for Joe, then he or she is to find the first position on the first contest, such as by scanning his or her finger down the ballot until that hole is felt and then mark that hole with the dauber (which is provided to the voter but not shown for clarity). Again, the mark is preferably in the same position on both sheets. (Also not mentioned further, but optionally 9 present, is a tactile guide to facilitate voters finding the correct holes.)
  • the other candidates and their positions are read in a similar manner: Shortly after “Mary Women” is read on channel “A,” channel “B” voices “Position four," according to arrow 20144, after which a pause is indicated by arrow
  • the left column one, four, seven, star
  • the left column corresponds to move backwards through the tape slowly with playback, move backwards rapidly with playback, skip back to begin of candidate (or previous candidate on repeat/hold), and skip back to start of contest (or previous contest on repeat/hold), respectively; and similarly, the left column corresponds to
  • a special action is preferably used to avoid inadvertent marking.
  • One example is a so-called "cord,” more than one button is pushed at a time. For instance, pushing down all three buttons, four-five-six, is an example chord for marking.
  • the audio is generated by computer 20161, such as a computer at a polling place, using the well-known techniques for playing sampled voices and/or synthesizing voices.
  • Computer 20161 receives navigation commands from keypad 20156, as just mentioned, and these control its logic, as is well known in the IVR art. In terms of hardware, for instance,
  • the number is from a pre-arranged sequence.
  • Another example is for the number to be supplied by input means, such as a barcode reader or keypad 20156, preferably after an operator "PIN" code sequence is entered.
  • recorder 20155a is connected by cable 20162a to sound source 20161, to be
  • recorder 20155b is connected by cable 20162b to sound source 20161 and to transducer 20101b. Shown contained within tape recorder 20155a, during the time of recording, is standard compact cassette tape 20150a; similarly, shown contained during recording within tape recorder
  • box 20121 contains tape 20150c and sheet 20110c, which are the same as tape 20150a and sheet 20110a, but shown again as part of one of the two alternative after-
  • box 20122 contains tape 2015Od and sheet 2011Od, which are the same as tape 20150b and sheet 20110b.
  • the hollow arrows show for clarity, as will be appreciated, the flow of these objects from the voting configuration to one of the two scenarios 20121 or 20122. (The arrow taking the sheet to scenario 20122 is shown as
  • each scenario shown also is the rendered image of the paper receipt that is preferably available online, 20175 for scenario 20121 and 20176 for scenario 20122. Also shown are 6 instances of potentially the same voter audio connection or telephone, 20170a and 20170b, whereby the voter is preferably able to compare the audio sequence to that on the tape. For instance, the voter is preferably able to navigate over the network as during voting, but in any case only hearing the scenario channel. The providing over a 9 communication network of this content, whether video and/or audio, is shown as being done by server 20162.
  • Audio optionally contains audio "markers" that mark certain ballot positions, whether associated with the A channel information or the B channel information. For instance, just after the candidate name and position are read (one 2 on each channel) a distinctive audio signal is inserted during the pause.
  • voters provide input to indicate where the audio markers are to be placed to correspond with what they have physically marked the paper.
  • the system introduces audio markers based on what it has learned from 5 scanning physical ballots. As mentioned earlier, if both sources of markers are used by a system and it detects an inconsistency, that is the voter apparently placed audio markers on positions other than those that the voter has physically marked, then the system preferably notifies the voter of this, such as by an audio message.
  • 8 voters may be allowed to "spoil" their ballot and cast a new one.
  • Audio markers present on online audio are preferably regarded as checked for consistency with other online forms of ballots by automated auditors, such auditing more fully described generally later.
  • voters may be free to make their own record of what they have marked, and then they 1 can check against audio markers inserted by the system from reading the physical ballots.
  • all voters in the system instead of inking the ballots all voters in the system use, for instance oversized paper punches, or otherwise at least partly mechanical marking means. It is believed that the set of persons able to recognize the positions of the marks 4 on the sheets is substantially increased and that audio markers would allow adequate audio checking of such ballots.
  • pairwise comparisons examples There are believed to be six pairwise comparisons examples for each scenario instance.
  • the pairwise checking of electronic renderings of visual and audio are believed preferably open to anyone over the network and can thus be o checked rather fully by devices impersonating voters. Such automated checking by whatever parties is believed in practice possible to make substantially indistinguishable from that of humans.
  • This is preferably used to compare this rendered online information to that made available for audit of the rest of the system, such as the tally process. (Included 3 are audio markers, if present, as mentioned earlier.)
  • An artifact is optionally checked against its corresponding online rendered version.
  • Checking a paper ballot against the online graphic version presumably entails entering the serial number, and optionally is by visual inspection of 6 what should be two identical sets of indicia (except that optional "helper" numbering information, as will be described, is on the online version, although it is preferably set off graphically, by color, font, or the like, so that it can readily be ignored in the comparison).
  • Checking the tape against the online system optionally, entails entering the ballot number ⁇ - j and then navigating through the online system as the tape plays and checking that the candidate or locations match, in scenario "A" or "B,” respectively.
  • Online audio is optionally compared to the corresponding paper. The effect is the same as with the online graphics, s though the helper numbers are not present.
  • sheet 20110c is consulted during interaction with audio navigation 20170a
  • the order in which the names are read per contest is checked to be in the fixed lexicographic order of the symbols present.
  • sheet 2011Od is consulted during interaction with audio navigation 20170b
  • the position number sequence s heard should be that of the symbols traversed in the lexicographic order.
  • a voter could mark any hole or back sheet symbol. Which position is marked is preferably shown in the online sheet, 20175 or 20176, to allow the 1 voter to check that it was recorded correctly.
  • the audio navigation 20170 preferably indicates which positions were marked (as mentioned earlier), such as for instance to facilitate the case when the paper is punched or a sited person is checking using the public switched telephone network. 4 Also shown, ignoring the scenario boxes 20121 and 20122, is the possibility for a voter to practice using the audio navigation system over the phone.
  • server 20165 offers this service, such as a toll free service for a few weeks before the close 7 of polls, voters can familiarize themselves with it and practice, thereby saving time at the polling place and increasing their confidence. Also, extra comfort would encourage and facilitate checking the tape online.
  • FIG 6 a combination block, flowchart, schematic of an exemplary embodiment of a second disabilities friendly voting system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art.
  • Much of the setup is, for clarity, shown as it was for Figure 5.
  • Those 3 parts that differ substantially are for clarity explained in detail, while those parts that are the same as corresponding parts of Figure 5 have already been detailed with respect to Figure 5 and are not further described for clarity.
  • both channels are played to each ear, as shown in the labeling of 6 transducers in headphones 20101.
  • a single mono audio is played to both ears; since the information is read at preferably substantially un-overlapping times, the effect is believed to be very natural. If there is only one speaker, for example, the fact that there are two tracks can be hidden from the user at this point.
  • a single recording is used as the source and the voter can play this recording using standard players. For clarity and simplicity but without loss of generality, the recording will be referred to as disc 20153, 3 such as a CD or DVD.
  • the two tracks are both stored on the disc, but each is encrypted under separate keys.
  • the disc 20153, 3 such as a CD or DVD.
  • 20153 is provided to the voter, under either scenario, preferably substantially unaltered from when it was originally burned before the election.
  • a media with write once capability such as laser discs, is believed and advantage in the e present arrangement. (Audio marker positions or keys are optionally appended, however, as mentioned later.)
  • the disc uses an audio encoding allowing a standard audio disc player to be used.
  • decryption device 20181 converts the audio stream to a digital one. Then the result is decrypted by decryption device 20182: unencrypted is segments of the stream are passed through, those for channel A decrypted with the key for that channel, and those for B with its key. The resulting cleartext stream is converted to speech stream by "codec" 20183. The resulting digital speech is then converted to analog audio by a-to-d converter 20185.
  • a mono headphone driver 20186 is included for clarity. (For 2i optional compatibility with other embodiments, separate time division multiplexing of the audio out onto the A and B channels is performed by two single pole single throw switches 20184, onto lines 20162a and 20162b, with drivers for these lines not shown for clarity). 24
  • the generation of discs 20153 is in some embodiments performed before the day of the election, as would be readily understood by those of skill in the art. Each disc is associated with a paper ballot of a particular serial number.
  • the keys needed to read the disc are then distributed securely to the units 20180 or preferably the decryption engines 27 20182 within them, using known key management techniques. After the voter votes, the disc can be provided to them.
  • the key, E or F, depending on whether scenario A or B applies, respectively, is provided to the voter.
  • One way to issue such a key is by writing it onto the audio, though this has the disadvantage of requiring a write-capable disc drive.
  • Other so example ways include providing the voter with another piece of paper or sticker bearing the appropriate key.
  • Yet another option is to publish the key along with the content of the disc and/or signature on the disc content. (Copies of the digital signatures of the data on the disc, including some known error correction coding, is preferably included on each disc.)
  • a 33 voter's personal computer could optionally check that the signature on the disc matches the data on it and that the signature is posted online. Speech recognition software, in some embodiments, optionally even checks the disc against the online ballot information.
  • Container 20191 allows the voter or observer to hide which channel, A or B, is being recorded by a recorder supplied by a voter or observer during the voting.
  • circuitry in device 20190 that is believed would have to
  • Buffer devices protect which channel the recorder is attached to from being measured from the 2 signal source.
  • the channels are optionally mixed, while avoiding crosstalk, to a mono signal for the headphones.
  • keypad 20156 and computer 20161 are shown, as in Figure 5, the separate channel inputs are optionally provided by the embodiment of Figure 6, using the ports 20162 as signal source.
  • container 20191 such as a locking metal box, is shown containing a single-throw double-pole switch 20195 whose structure is readily ascertainable by inspection.
  • container 20191 only houses switch 20195 and connector 20196 is external, such as at the end of a cable. It will be appreciated that a consideration is emanations from a cable and/or recorder that might reveal which channel is connected. Another example embodiment of i the switching and plugging functions will be described later with reference to Fig 8.
  • One function of device 20190 protects the configuration of box 20191 from being measured remotely. It is believed that, for instance, simple power measurements or even time domain techniques could be used by a sound source 4 to "look inside" box 20191 and determine which channel is being recorded. Accordingly, buffers 20192a and 20192b are provided to prevent this. Suitable structures would readily be conceived by those of skill in the electronics art. For instance, low pass filters are believed helpful in preventing time domain measurements and zero-gain amplifiers for 7 preventing simpler measurements. Other techniques, known in the art, include isolation transformers and optical isolators. A different consideration is that the level of noise on a single channel output should be relatively high compared to the crosstalk level. 0 A second function of box 20190 is to provide the mono drive 20163 for headphones 20101.
  • buffers 20193a-b (which might be simple resistors in some examples) are shown preceding the input to summing amplifier 20194 that also servers to drive 3 headphones 20163, such buffers, amplifiers and drivers being well known in the audio electronics art.
  • One example embodiment is a mechanical lock whose key cannot be removed until closed, where the voter is to 6 surrender the key before the sound source is activated.
  • Another example is automatic means to detect that the container is closed and prevent a valid vote from resulting if the container is opened before the poll worker or other authorized inspector is present.
  • Yet another example is a switch that can only be changed between positions by a key that is 9 surrendered during the entire voting interval or must be inserted into another device during that interval. The voter or observer is able to take the same player, 20151 away from the polling place and use it to listen to media 20152, which is shown as 20152a for scenario A and 20152b, when it is storing the audio of channel B.
  • a rule 20133 is made know in advance that associates certain pairs with positions within a contest.
  • three pairs comprising the top row are associated with the zero'th 2 position; they are readily recognized in the example for convenience as having modulo three sum equal zero.
  • the middle row of rule 20133 comprises pairs each summing to one mod two; and the bottom row pairs sum to two when the remainder is taken after dividing by three. It will be appreciated that each value zero, one or two appears exactly once 5 in each first component of each column and similarly in each second component.
  • each digit appears as the first component in a different row in each column and also in a different row in the second component of each column.
  • the column is committed to for the particular combination of serial number and question. 8
  • the first digit determines the row, which determines the candidate in the fixed ordering given by the rule, assumed here alphabetical by candidate name and not shown in rule 20133 for clarity.
  • the second digit also determines a candidate.
  • Each digit alone, however, is believed not to reveal the i candidate to those not knowing which of the columns is being used for the particular contest, as each component appears in a row per column, as already mentioned.
  • the touch screen 20111 shows the voter the ballot serial number and contest 4 identifier, along with a row per candidate.
  • the candidate names appear in alphabetical order as mentioned and for convenience. Adjacent to each candidate name is the ordinal number of the row for convenience and as maybe customary. At the beginning of each row is the pair from the rule column being used, the first column in the example 7 instance shown.
  • touch screen 20111 transfers this information to computer 20161 over the line shown.
  • channel “C” 0 reads out the first digit of the pair, “zero,” and channel “D” reads out the second, "two.”
  • either one of these, as mentioned, determines the candidate "Mary” for this particular ballot and contest, as they each identify the last row of the column committed to, as mentioned.
  • the sounds are combined by mixer 20194 (which takes and additional input as will 3 be described), and so the both "C” and “D” are heard as mono on each headphone speaker.
  • the voter optionally, at this point, is provided with the opportunity by the system to check that what he or she hears is the pair shown next to the candidate name touched. Also the voter can check that the sum of the pair corresponds to the correct position on the row, 6 in this case by adding the digits and checking that the result is the row number (in zero-based indexing). The voter is also able to check the data displayed for the other rows similarly, though the one voted for is of the most interest.
  • scenario “C” 20123 or “D” 20124 the voter chooses between scenario “C” 20123 or “D” 20124 and leaves the polling place with the 9 corresponding recording 20152c or recording 20152d, respectively.
  • the corresponding script is heard and the other one not, as in the previous embodiments, and as will be described more in detail.
  • the voter then is provided the option to check the consistency of the recording with the online data provided, either audibly or visually.
  • the visual image is shown in case of scenario 20123 as the contest identifier and first component zero; in scenario 20124 it is two. Similar data would be available through the phone, voice, or IVR like system as already described, which is in effect run against the same database of encrypted votes cast.
  • Buffer 20193c is inserted before the mixer optionally to reduce crosstalk.
  • Plugs 20196a-b are in container 20191, where the voter or observer chooses which one to connect to recorder 20151.
  • One advantage of such a two-plug arrangement is believed to be that if the cables are sufficiently long and substantially unstructured in their arrangement, it may be difficult for anyone getting a glance of how the voter connects recorder 1 s 20151 to learn which channel it is on. Also, the voter is believed not to suffer from being forced to make a random choice of which channel is recorded, and is thereby protected against frauds that would require the voter to connect to a particular channel.
  • FIG 9 a combination block, flowchart, schematic of an exemplary embodiment of a untrusted- 33 assistant disabilities friendly voting system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art.
  • persons with disabilities communicate their vote to an "assistant," who is then to mark the ballot accordingly.
  • a headset 20102 is shown for the voter and another headset 20103 for the assistant.
  • the voter and/or assistant optionally does not use audio input 39 but video input or both audio and video; at least one of the inputs, voter or assistant, is preferably kept from being readily learned by others.
  • the voter optionally uses recorder 20157 to record an audio version of some of the channels, to be described.
  • the voter also receives a marked receipt comprising one half of a ballot having one serial number and both 3 halves forming a complete ballot for a second serial number.
  • the first ballot corresponds to the one the voter votes
  • the recording of script 9 20133 is thus one that would compromise ballot secrecy if provided to the voter.
  • the ballot the voter does not vote, ballot 20134, once revealed to be so chosen by the voter after voting, is preferably provided in its entirety to the voter for checking against the published commitments.
  • Each script is shown as transferred in an encrypted analog audio format between some equipment, such as digital playback or TVR means as mentioned earlier, and the headphones used by voters and assistants. This analog transfer is optional and believed useful in some applications as it would facilitate the recording of the encrypted signal by voters is and/or others using standard equipment inputs.
  • the voice reading the script is shown received in a us digital analog form and then compressed digitally using a so-called "codec" function for speech, 20187a, 20187e, and
  • Each of the headphones has associated circuitry to convert the transmitted signal to audio.
  • this 33 includes a first analog to digital conversion, 20188a or20189a. This stage is followed by the modems 20188b and 20189b, respectively. These signals are the decrypted by decryption circuits 20188c and 20189c, respectively. Then codecs
  • 20188d and 20189d convert the decrypted binary stream to digital speech samples and provide this as input to digital to 36 analog conversion 20188e and 20189e, respectively, for input to headphones 20102 and 20103, respectively.
  • the voter and/or various observers, including the assistant preferably are able to record parts of the audio, whether from an analog signal, as shown by single example recorder 20157, or by a direct digital 39 coupling not shown for clarity.
  • What the assistant hears is preferably recorded in its entirety, as indicated by the bold line from the assistant signal to recorder 20157.
  • the voter hears the candidate names in the order corresponding to the ballot that is being marked and will be deposited, as indicated by the leftmost inputs to switch 20188f; the candidate names for a the other order, however, are selected as an output by switch 20188g and provided to recorder 20157.
  • streams of names for both ballots "E" and "F" are provided for recording without switching: the switching is carried out later by the decision about which key to provide to the voter and which to
  • the voter preferably indicates which positions are to be marked, such as by input means such as buttons 20156 as already described (and shown for clarity but not shown connected to the underlying control system not shown for clarity in this embodiment) and, and these are preferably included on the audio channel fed to headphones 20102, 9 20103 and recorder 20157; these are believed to allow the voter later to verify the faithfulness of the marking by the assistant and for the system, optionally, to check the markings when they are scanned, as already mentioned for other embodiments.
  • 2 Four ballot sheets are shown: a top and bottom sheet pair 20112a and 20112b for a first ballot and top and bottom sheet pair 20113a and 20113b for the second ballot.
  • One of the four sheets is to be provided to the assistant and marked by the assistant.
  • a template 20115 with holes s similar to a top sheet is provided for use on the bottom sheets 20112b and 20113b.
  • bottom blotter 20114 is optionally provided.
  • the voter makes the selection on switch 20188f, which causes corresponding opposite selection on 8 switch 20188g (or later release of the corresponding key when both channels are recorded in encrypted form).
  • the ballot the voter listens to is the one that the voter then provides one sheet of to the assistant. For instance, if the voter chooses to listen to "E,” then recorder 20157 records "F” and assistant is given one of 20112a or 20112b; or, if voter chooses to 1 listen to "F,” then recorder 20157 records "E” and assistant is given one of 20113a or 20113b. Then the voter hears the corresponding ballot number followed by a contest and candidate list.
  • the voter selects one of the candidates as it is read and this choice is indicated, preferably by input means 20156 and preferably translated to audio such as by a distinctive 4 audio tone, and this indication is preferably recorded by recorder 20157, learned by control mechanism not shown for clarity as mentioned, and made known to the assistant, who marks the corresponding position.
  • the marked sheet is turned in, preferably for scanning, and then it is returned to the voter.
  • Those running the 7 election, or automated means preferably check that headphones 20102 were listening to the channel corresponding to the sheet marked (or the corresponding key is provided) and that the other sheet of the pair marked is not released to the voter.
  • the voter optionally then checks the recorded candidate orders against those posted on the voided released 0 complete ballot and/or against those printed on the voided full two-sheet ballot taken.
  • the indicated positions recorded are preferably optionally checked, such as by the voter, against online information, to ensure the faithfulness of the marking by the assistant and/or the accuracy of scanning by the system.
  • what secret information the voter and/or assistant receives (referred to here generally as a "presentation" to the voter or assistant) in some examples, such as those already described with reference to Fig 5-8, is related to the vote encryption indicia on the ballot forms, and in other examples it is separately committed.
  • such information can be in parts that combine to the printed indicia and/or it can be substantially independent.
  • An example embodiment that is believed adaptable to both assisted and unassisted is now described, based on the embodiment of Fig 9, but not shown in all cases in the drawings for clarity. Everything is preferably committed to in advance and then opened for the ballot the voter in effect spoils in audit.
  • the order for the assistant is fixed, so that the tape of the tones and what the assistant hears ("G"), or even a video of everything including what the assistant hears/sees/does, can be recorded and/or made public; the voter chooses between two committed sets of instructions and corresponding ballot forms ("E" and "F"), without the untrusted equipment knowing the choice until afterwards.
  • E the number of committed sets of instructions and corresponding ballot forms
  • An optional variant, without an assistant is where the voter marks the positions as instructed by the chosen channel. For a sighted voter with assistant, the data is supplied visually (optionally by the ballot as mentioned below with a generic receipt), but auditory confirmation can also s be provided.
  • either or both audio and video are optionally supplied, as mentioned.
  • the voter may of course be allowed to hear and/or see what is supplied to the assistant including position indications and tones, as mentioned.
  • what the assistant hears/sees and even does is preferably recorded by audio and/or video means, as s mentioned.
  • a "generic" receipt form ! optionally is marked by the assistant.
  • a marked generic receipt forms would preferably include the relevant serial number. It is preferably scanned and used in the tally, with the absence of any cleartext indicia apart from serial number that is missing preferably ignored by the scanning system. Where counts are provided of the cleartext ballots, in some settings a randomized sampling may be preferable, as the tally corresponding to the generic receipts would then not be revealed.
  • a "privacy shield” can be used to protect the voter's privacy while allowing the assistant to mark the actual ballot form.
  • an envelope with holes cut in it allowing marks to be made on the ballot it contains serves to hide privacy-sensitive indicia on the ballot from the assistant.
  • a standard audio of the candidates is provided (optionally with ballot rotation) and the assistant hears one of two orderings, each indicating where the corresponding marks are in the standard order on the particular ballot part or generic receipt actually used by the assistant (logging without timing would be an acceptable recordation).
  • both orders are randomized, voter or assistant gets two versions to choose from, or there are two versions each chooses from in a coordinated manner. With two randomized parts, for instance, the voter can take a tape of what the voter heard or of what the assistant heard.
  • the assistant in some embodiments receives only an indication from equipment of which position to mark when the voter signals and a record of these positions, preferably apart from temporal information, is permanent and provided to the voter and/or assistant, such as with a logging printer without timestamps as mentioned.
  • two orderings are used that differ from what is printed but are equivalent in effect, and a mapping between the two is committed in advance and opened afterwards for the spoilt half; which half of the form the voter takes can be decided 3 later or no half can be taken.
  • audio streams are optionally digitally signed or otherwise authenticated. Whether they are recorded by voters/observers in analog or digital form, digital authentication is well known by those of skill in the 6 cryptographic authentication arts as being readily added to confirm the other data/sounds on the channel. Such authentication preferably allows immediate confirmation that the recordings are not readily disavowed by those operating the election.
  • Various techniques, such as so-called "undeniable signatures" or delayed release of public keys allow some b restrictions in who can make and/or convince whom of the authentication.
  • Voters are generally provided authentication, preferably such as so-called public key digital signatures, related to the parts taken in each media, which can also safely be checked without the party checking learning the votes. More than 1 two layers of paper and/or parts of the audio are anticipated. The option for voters to change tracks for particular contests is also anticipated.
  • the electronics are preferably on transparent substrates and include transparent covering 4 over chips and passive elements. Simple standard chips are believed preferable to larger and/or custom chips. Switches are preferably easily seen mechanical structures.
  • Transparent or at least partly transparent and/or translucent parts are believed r advantageous. In some examples, they allow observers to verify that the voter has not placed any transducers inside.
  • transparent plastic such as vinyl ear cups including transparent gel, such as silicon gel, and/or liquid are desirable.
  • molded plastic parts are preferably made from transparent thermoplastics.
  • Speaker cones are 0 optionally formed from transparent material. Instead of foam, liquid or gel is preferably used to provide passive sound isolation, to reduce the sound transmitted outside the headphones. Another protective measure is to mask the acoustic information emanated with suitably chosen randomized signals from transducers configured towards the outside of the 3 sound isolation enclosures.
  • a single plug for a recorder is preferably provided.
  • Means are provided to allow the voter to move 6 the normally-open switch to connect one of the two channels to the recorder, but the switch is preferably structured so that it then must be reset by a key held by election workers. Without that key, which choice was made is preferably hidden within the device; using that key, or a separate key for the purpose, the state is revealed before it can be reset. For 9 example, one key is needed to unlock the little door that exposes the mechanical switch and another is needed to reset the mechanical latch holding the voter chosen switch setting.
  • the headset preferably does not operate until the voter selects one position and it preferably emits an optical/audible signal to indicate that the voter has not yet made the selection, in
  • the electronics are mounted visibly to a steel box preferably built to suitable emanations specifications, not unlike a small first aid kit including a handle.
  • the box optionally serves to hold and protect the e headphones while not in use.
  • the recorder of the embodiment of Figure 7 is placed within the box. Mechanical locking ensure that the voter state cannot be set or reset improperly and that the device cannot be used until it is set by the voter, as described elsewhere here.
  • positive interlock is anticipated, so that only when the box is closed is a a substantially rigid element, such is used to hold a door open as with a gas spring, is brought into a configuration where a recess or hole in it allows operation. Cables are run out from the box through strain relief grommets that slide into channels accessible when the box is open or that are mountable as a unit through an opening in the box that is preferably
  • FIG 10 a combination block, flow, data, and cryptographic protocol diagram of an exemplary is embodiment of a mixing system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art.
  • Six instance examples are shown, 30001a through 30001f.
  • the first, 30001a indicates the initial state published before any audit.
  • the second and third instances, 30001b and 30001c are is alternative examples illustrating the opening of different rows in initial audit, as indicated by the overarching bracket labeled by the word "or.”
  • the example shown in instance 30001b is carried forward (as indicated by the arched "dash-dot-dot" arrow) rather than that of 30001c, as an arbitrary choice for
  • Instance 3000 Id shows the publishing of the encrypted votes, intermediate results, and cleartext votes, as a sequence
  • ballots 30011 example intermediate batch 30012 and example intermediate batch 30013, and cleartext votes 30014.
  • Each row of table 30011 corresponds with what will be called here a "potential" ballot: a set of data cells that if
  • the first two columns of table 30011 each correspond to a different one of the two parts of such potential ballot: for concreteness, it the leftmost column will correspond here to the top sheets and the 3 middle column to the bottom sheets.
  • the data cells of these two columns are informational copies of what would be printed on the corresponding ballot sheet. These two columns are shown in gray, as indicated above, corresponding to their initial state of being hidden by commitments.
  • the rightmost/third column of table 30011 is initially empty but is c where the encrypted vote from the corresponding ballot will be posted once it is determined (such as by scanning a ballot).
  • the two intermediate tables 30012 and 30013 are examples of the parallel audit instances: ultimately, one or the 9 other half of each will be opened in a final audit stage. Each row corresponds to a potential ballot, again whether or not it survives beyond the initial audit. Even though the height of 30012 and 30013 is less relative to 30011 and 30014, no fewer rows are suggested. Two example rows are shown for convenience in each 30012 and 30013, but their content is 12 not differently colored than other rows until instances 30001b-30001f. The left and rightmost columns contain pointers to rows of table 30011 and 30014, respectively, as indicated by the gray dashed arrows shown for the two example rows.
  • the middle column is where the intermediate value, to be described, will be posted (as indicated by medium gray in is instances 30001d-30001f).
  • Table 30014 is where the cleartext votes will be published for tally. Those rows that survive the initial audit and for which ballots are scanned, will be filled, allowing anyone to tally the votes. The final audit will check the accuracy of is that filling.
  • instances 30001b and 30001c two example initial audit choices are shown.
  • the lower of the two indicated rows in table 30011 is chosen for audit; whereas in instance 30001c, the upper such row is 21 so selected.
  • 30012 and 30013 should point to that row in table 30011 and the rightmost pointers of those rows in table 30012 and 30 30013 should point to the same row in table 30014. If the pointers do so point, the initial audit of the links will be deemed not to have detected fraud. This can be seen in the two examples 30001b and 30001c.
  • the initial audit checks the way that the "encrypted votes" are transformed 33 into "cleartext votes.”
  • the two leftmost columns of table 30011 record the information content of the indicia on the sheets of the ballot. They cause the cleartext vote to be transformed from the cleartext vote to the encrypted vote.
  • This transformation will, in known and previously disclosed manner, be considered for clarity and concreteness as the 3 ⁇ application of a group operation between two group elements: the cleartext vote and a group element determined by the cells of the two columns.
  • the result should be the cleartext vote back again. If the group elements do so combine, the 39 initial audit of the group elements will be deemed not to have detected fraud.
  • instance 30001d shown as mentioned is a continuation of the example of instance 30001b, after the initial audit is completed successfully and the votes have been scanned.
  • the particular row the encrypted vote corresponds to is determined by the "serial number" identification indicia on the ballot, which corresponds in a public way, such as by being the row B number.
  • the example row is shown with circle-containing cell entry for the left column, corresponding to the voter having, continuing the example mentioned above, chosen to keep the top sheet.
  • the commitment for the indicia on the top sheet is opened and the voter can show the receipt if the value differs from that on it. Also shown, for clarity as a a dashed row, is an example where the voter kept the other sheet as indicated by the circle-containing cell being in the middle column.
  • the intermediate values shown in medium gray as mentioned, can be
  • intermediate table 30011 and 30012 points to a particular encrypted vote or a particular cleartext vote remains hidden at this point. (The opened row from instance 30001b and its thicker dashed links remains shown for concreteness.)
  • instance 30001e is table 30012 has its left side audited and table 30013 its right side; the opposite choices were made for example instance 30001f, where the right side of table 30012 and the left side of table 30013 are to be opened.
  • the "or" labeling the brace indicates that one of the two example instances is carried out, as will be appreciated, keeping hidden the linking
  • 24 opening (such as for table 30012 in 3000Ie) allows the group operation to be applied to the group element revealed and the published encrypted vote pointed to, and this should equal the intermediate value group element in the middle column, shown in medium gray; similarly, a right side opening (such as for table 30013 in 3000Ie) allows the group ⁇ operation to be applied to the intermediate value group element in the middle column, shown in medium gray, and the group element revealed, and the result compared for equality with the cleartext vote pointed to in table 30014.
  • the physical ballots are printed as per box 30260. Then voters vote the ballots, as described in box 30262. During voting and/or after voting the information marked on the ballot is
  • box 30266 depicts the opening of the commitment on the indicia on the sheet retained by each voter. If the sheet is scanned and returned to the voter, then the sheet retained by the voter is that scanned; if the sheet is
  • the intermediate table entries are preferably next filled, corresponding to the middle columns of tables 30012 and
  • box 30280 The values of this cell, for each particular row, is determined by applying the group operation to the transforming value in the left of center column and the encrypted vote pointed to by the leftmost column.
  • the cleartext votes of table 30014 are readily determined as portrayed in box 30282 9 from any of the intermediate values, by applying, for each row, the group operation to the intermediate value and the right of center value and placing the result in the row pointed to by the corresponding rightmost column.
  • box 30284 shows the preferably public random selection of which halves of the intermediate tables to open, such as the right or left
  • commitment schemes are known that are provably unconditionally unchangeable but only computationally hiding and these are believed preferable
  • a hybrid approach entails such a "quality" commitment to a key, and then the key being used to commit to a much larger value, such as by x-or of a pseudorandom sequence generated by the key. It is believed that the hybrid has the properties of the
  • each such key is preferably divided into pieces and each piece associated with the corresponding pointer of a corresponding intermediate tables, such as
  • the ballot parts are preferably independently created and in turn then determine the value of the right transformations.
  • An example optional way to create the ballot parts is to create each pseudorandomly.
  • voting is anticipated in substantially seven example types of setting:
  • settings (a), (c), (e), (f) each have two variants: where the voter identity is not linked to the marked image or artifact retained by those running the election, and that where it is in order for the handling of so-called "provisional" or "vote-
  • FIG 12 A perspective view is shown in Fig 12A, while two-up views of each side are shown in Fig 12B and Fig 12C. (The end view is from the bottom.)
  • Fig 12A A perspective view is shown in Fig 12A, while two-up views of each side are shown in Fig 12B and Fig 12C. (The end view is from the bottom.)
  • Fig 1 A perspective view is shown in Fig 12A, while two-up views of each side are shown in Fig 12B and Fig 12C. (The end view is from the bottom.)
  • two separate ballots of the type shown as in Fig 1 are in effect combined into a single form in the lower half.
  • a ballot with marks next to candidate names is shown with the marks to be made through the holes provided in the dotted ovals shown on the inner layer, as will be seen.
  • Each of the two outer sheets has a different serial number, in the example they are linked as an odd/even
  • Fig 12D-M various views and online images are shown.
  • Fig 12D shows the unvoted ballot form as viewed with the odd serial number up.
  • Fig 12E shows the orientation of Fig 12D but voted, with a dotted oval for the third candidate "Arthur Lint” shown filled, such as by hand using a pen, and a daub over the letter “C,” being a vote for 9 "Ed Ant,” as the candidate labeled by that symbol on what is in this orientation the top sheet.
  • the odd one has no marks on it, as seen in Fig 12F.
  • the voter preferably also retains the upper foil from this unmarked form, the inner side of which is shown in Fig 12G. The inner surface scanned and that 2 serves as the rest of the receipt is shown in Fig 12H.
  • the code from the slip described in Fig 12G is entered locally in software preferably run at the user computer.
  • the image the voter then sees, Fig 121 is a correct synthesized rendition of s the essential information on the receipt, but with the code entered shown.
  • the code preferably maps the data provided to the local computer, such as by an Abelian group operation, so that any pattern of marks is equally likely if the code is independent and uniformly distributed. This is illustrated further in Fig 12 J, where the wrong code is entered and the s marks are randomized in their positions.
  • Fig 12K The reverse side view of the voted ballot is shown in Fig 12K for clarity.
  • the reverse side of the receipt is shown in Fig 12L, which matches that from the right side of Fig 12B.
  • What is preferably also displayed for audit by the 1 voter is an online view of this that is augmented to include the identifier on the strip the voter kept from Fig 12G, but with the code substituted for "55," that one the receipt.
  • the voter can check all the other printing against the online version. 4 It will be appreciated that, for example, if one of two parties prints the two-up indicia on the outside of the form,
  • Fig 12B and the other party prints the inner two-up indicia of Fig 12C inside the form (they use the common identifier printed on the inner is used to coordinate the printing), and the inner-printing party does the scanning, then neither party 7 alone learns the votes.
  • the scanning party does not learn the votes because the scanning party does not know what is on the corresponding outer, as the other party printed it. But the scanning party does know the code the voter has and provides the posted information so that the code is needed to decode it.
  • the non-scanning party does know the outer o printing associated with the common identifier mentioned and available online, but the outer printing party does not know the code used to permute the vote-determining information on the inner sheet rendered in Fig 121.
  • the serial number for rendering is from the opening of the commitment by the outer-printing party.
  • FIG. 13 A shows the three-up version of the ballot with the candidate names, 9 corresponding to the Fig 12B, but with the extra sheet on the right that is "C-folded" into the middle and has the smaller holes in it. (The end view is from the top in this figure.)
  • the three-up plan view of the other side shows the indicia essentially of fig 12B, but with the additional panel on the left.
  • Fig 13C B unvoted view of the side that will be voted in the example is shown in Fig 13C, where the middle circle is from the small holes already mentioned. Voting is shown by daubing and the middle two positions are marked in this example as shown in Fig 13D.
  • the daub marks can be seen on the sheet with small holes in Fig 13E, which is the sheet provided for double- s sided scanning by the part who printed the inner side Fig 13B.
  • the voter again keeps the part of opposite top, shown as Fig 13F, but that top part is destroyed.
  • the voter also has the bottom part marked, Fig 13G, which is then compared to the online version Fig 13H.
  • FIG 14 a combination block, flowchart, schematic, and protocol diagram of an exemplary s embodiment of a combination disability friendly voting system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art.
  • the system does not know which one.
  • the assistant i only marks the lower sheet from Fig 12, based on the signal from the voter who is listening to the correct order of candidates (but which order the voter listens to is unknown to the system).
  • the translation by "G” allows the orders the voter hears to more convenient, especially if two different "G” values are used, not shown for clarity.
  • a similar setup can be used for two ballot sets more generally.
  • the voter also keeps the code for use in audit, as shown in the screen images. This setup and process is substantially similar to those already described with reference to Fig 5-8. 7
  • FIG 15 a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of an untrusted-assistant combination disability friendly voting system in accordance with the teachings of o the present invention will now be described in detail sufficient for those of skill in the relevant art.
  • This setup and process is substantially similar to those already described with reference to Fig 14 and also Fig 9. It will be appreciated that giving the voter the choice of two complete ballot sets, but not letting the system know which one until afterwards applies 3 generally.
  • the audio for the assistant shown can, as mentioned be public and/or replaced by visual signals.
  • the voter signals the assistant using temporal signals or by speaking or signing numbers, for example.
  • FIG 16 a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of a two-party mixing system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art.
  • Values of various types are shown as entries in the three 9 matrices of five columns and the two of one column.
  • the dashed lines between the matrices illustrate the values of the pointers and indicate each pair of rows, one per matrix, with values corresponding to the same ballot.
  • the numbers to the left of each row of the leftmost matrix are row numbers that apply to the position of rows in the matrices themselves.
  • the rows of the matrices are comprised of entries called cells, one per column.
  • Each cell is of a particular one of three underlying data types: pointers (shown darkest gray) to other rows; transformation parameters, and the actual values corresponding to votes in various stages of processing.
  • the underlying data types appear in either encrypted or "committed” form and decrypted or “cleartext” form, and some change from encrypted to decrypted form as processing proceeds through an election cycle.
  • the pointers and transformation parameters (shown as table entries with various gray backgrounds) in particular appear initially in encrypted form and are selectively decrypted later, preferably in accordance 9 with challenges.
  • the vote values (shown as table cells without gray background) generally appear in cleartext, although they are subject to transformations as will be described.
  • the cleartext representation shown for both vote values and transformation parameters is shown as integers modulo three, for clarity.
  • the transformation operation is shown as addition modulo three, for clarity, although for multiple vote contests particularly, more general bijective mappings are anticipated, as would be readily appreciated by those of skill in the cryptographic art (for instance, composition of arbitrary randomly chosen group operation being well known).
  • s Two entities, the "receipter” and the “Tallier” are shown in the preferred embodiment.
  • the receipter knows the keys to the encryptions of the leftmost two matrices; the tallier knows those for the five-column matrix on the right side. Accordingly, the receipter knows the leftmost two row permutations and the tallier the rightmost two.
  • the five matrices can be thought of as a single "virtual matrix” if the rows are taken to be re-ordered so that the row permutations are the identity. (Preferably each matrix has the same number of rows.)
  • the secrecy of the ordering of the rows protects privacy.
  • the middle matrix, with its single column, is taken to be in the order of serial numbers of the i corresponding ballots for clarity and simplicity. The linking of this order to the tally order is kept secret by the tallier, even though there may be more than one instance of the right five-column matrix.
  • the middle five-column matrix hides the linking of the serial number order to that to the "receipter's secret ID" that orders and allows voters to find the corresponding posted rendering precursors.
  • the receipter's secret ID is provided, the receipter's super-secret ID, such as by a separately committed to and individually openable mapping, to allow the receipter but not others to link, as will be explained.
  • Multiple instances of the two permutation-containing matrices are preferably used in parallel, as will be appreciated, but not included here in the description for clarity. Operation, in overview, includes a series of transformations.
  • the modulo three values in the "tally" column are preferably for clarity interpreted as corresponding with zero-based indexing to the three candidates in a pre-determined order, such as alphabetical order.
  • Preelection posts the pointers and transformation parameters in encrypted form. Then a preferably public random selection is made of these values, such as by indicating certain rows, for instance by the index of the "shared value cell," which is preferably the ballot serial number. The keys that allow these rows to be decrypted are then revealed, thereby “opening” the "commitments.” Any interested observer is then able to check that the pointers are followed and that the net effect of the transformation of the resulting "virtual row,” apart from the leftmost matrix, is correct, and that the pointers are at least distinct.
  • Substantial probability of correctness of the postings can be established by this phase.
  • the second phase entails two aspects, posting of "rendering precursors" and opening of rows indicated as unused in the voting. These preferably proceed in batches, preferably synchronized so as to provide a simpler voter experience. Voters are able, once their ballot batch is posted, to see two things preferably in their own information 6 processing system (pc): the unused serial number of the pair of serial numbers forming the ballot is posted and matches that unused part of the ballot form the voter retains; and that the marked positions (and their symbols, where used) match that viewed when the scramble code and receipter secret number are entered and processed locally.
  • pc information 6 processing system
  • the final phase entails releasing the outcome and public verification that transformations, substantially and at least with substantial probability under the assumption of random challenge, are correct.
  • the values can optionally be encrypted and selectively checked without revealing the tally, 12 preferably even to either entity, as a kind of robustness test of the transformations.
  • All the values will be posted substantially at once, first by the receipter entity and then by the tallier entity, for simplicity in explanation and clarity.
  • Verification of the transformation proceeds as with previously disclosed systems referenced earlier: one or the other of is two halves are requested to be opened, but not both, and optional parallel instances provide additional verification.
  • the formula notation indicates the basic transformations and their relations.
  • the formula corresponding to each pair of transformations indicates the net effect of the pair.
  • the values rl, r2, and tl correspond to the two transformation 18 pairs by the receipter and the single pair by the tallier, respectively.
  • the same symbols with a comma and second numeral appear in the labels above the columns.
  • the transformation is the net combined transformation (the sum in the case of addition modulo three); the values with the same symbol but the two different digits after the comma 21 have a combined net transformative effect equal to that of the symbol without the comma.
  • applying rl,l and then rl,2 give the same transformation as applying rl.
  • the formula for a value column gives a closed form for the value of each of its cells.
  • the receipter includes the shared a? permutation in two stages, first si and then s2, and then the tallier removes both of them. Transformation -pi is what lets the posted rendering precursor not reveal the actual mark m. With direct marking, only one permutation, pi, is nontrivial; with indirect marking involving printing by both entities, both pi and p2 preferably correspond to printed so transformations.
  • FIG 17A-C shows a ballot formed from a substantially sheet material such as paper or the like with a so-called “carbonless copy” functionality preferably on the inner surfaces, those surfaces exposed in Fig 17C.
  • the 36 so-called “self-contained” type of carbonless coating such as that made by Appleton of Wisconsin under the name SC NCR paper and product number 2751, being an example.
  • the printing on the outside surface of the folded and preferably pre-perforated form, as shown in Fig 17A has as examples two contests each of three candidates.
  • the serial number, 39 765653 is shown on Fig 17A.
  • the order of the candidates is preferably arranged related to the serial number according to an encrypted voting scheme, as disclosed in references mentioned. It will be appreciated that an optional extra set of the same contests is shown printed on the reverse side of the ballot, as seen on the left half of the so-called "two-up" front 3 surface of the form shown in Fig 17B.
  • One advantage of such apparent redundancy is believed to be that it provides voters the ability to keep a valid ballot that they or others can then audit, a technique mentioned elsewhere here and generally useful, as will be appreciated.
  • Another believed example advantage is allowing the voter a chance to fill the 6 form again in case of a mistake.
  • the mark is transferred onto the other layer of the still preferably folded form through the carbonless system function.
  • the optional large ovals shown on the inner surfaces are an example graphic to help voters interpret the positions of marks formed on that surface of the receipt.
  • SC layer such as a fully coated exposed surface of Fig 17C, means that the mark is also visible on the inner side (the side shown on the left in Fig 17C) of the 2 sheet marked as well as the inner side of the other sheet (exposed on the right in Fig 17C).
  • Such double-marking is believed an advantage as the scanning of the sheet submitted preferably is double-sided and detects the images of the marks created by the carbonless and preferably uses the additional information to help s improve the accuracy of the scan. For instance, the system preferably warns if the marks on the inner surface (left side of Fig 17C) do not reflect those on the front surface (right side of Fig 17B). It is believed that using such inner carbonless mark, instead of or in addition to the corresponding outer mark, provides additional uniformity and information about s voter marking. For instance, some marking instruments, such as certain pencils or colors of ink, do not scan well in some systems; with the carbonless, the mark color is determined by the dye. Moreover, marking pressure is indicated in carbonless images.
  • the forms are preferably printed on the inner layer and perforated for folding in a first step, as this is 4 preferably the same per ballot. Then the outer surface is printed, with unique serial number and corresponding permutations of candidate names per contest as known. If folding precedes the outer printing, then smaller format printers, including so-called demand printers, can be used, which may be an advantage in some applications. In large- 7 volume production, so-called web printing is preferably used followed by die cutting and/or sheeting equipment, as is known.
  • Two cooperating carbonless coatings such as applied by modified offset printing as known, one located behind each set of ovals on the front surfaces on both sides of the inner layer, are preferable, as the amount of coating material is 0 reduced compared to full coating and marks resulting from handling can be reduced by separating the layers.
  • two separate two-part carbonless chemistries are used, one part from each applied to each layer; the result appears to work like the SC type, except that when the two layers are separated, no stray 3 marks are recorded as the typically micro-encapsulated activator needed for each sensitive coating is not present in its own layer.
  • the inclusion of so-called "taggants” in the material optionally provides evidence that the marks were caused by the same opposite part.
  • the voter then receives a form preferably folded as shown in Fig 17A, for instance in the mail for so-called absentee voting, or at a polling place, and fills the ovals as 9 usual. If there are redundant ballots, one on each side, as mentioned, the voter preferably chooses substantially randomly between them. After marking as with conventional ballots, the voter is to separate the forms along the perforation/fold line shown, to produce the two separate sheets shown in Fig 17D through 17G.
  • ID is the outer surface 3 marked directly by the voter, IE is its inner side; IF is the inner surface of the receipt sheet and IG its outer surface.
  • the upper sheet shown in Fig 17D-17E, is then submitted as the ballot, such as to a ballot box, scanner, or mailed in. It will be appreciated that this form is substantially similar to existing ballots and is readable and can be counted by hand if need 6 be.
  • part of the system optionally includes at least a scanner and screen to shown the voter the results of the scan.
  • the other sheet, shown as Fig 17F-17G, as mentioned, is preferably kept as a so-called encrypted receipt.
  • the 3 encrypted receipt preferably is also available online or otherwise for checking, as illustrated in Fig 17H, which shows each side of the receipt, side-by-side.
  • the voter preferably has at least the opportunity to check this as in related systems, typically by providing the serial number to an automated system.
  • the large ovals of Fig 17H correspond to those of Fig 12 17F, and in the example are selectively filled as an example way to indicate whether a corresponding mark was recorded for the corresponding position in Fig 17F.
  • the association of candidates with positions is mediate 15 through arrows, as in Fig 19.
  • the order of candidates in some examples, is optionally fixed, for instance, yet the arrows associate apparently randomized oval positions with each candidate.
  • symbol pan such as described with reference to Fig 1, is optionally used.
  • Indirection through graphical or symbolic means, such as in is the examples mentioned, is also applicable for instance to the embodiments of Fig 12 and Fig 13.
  • Fig 18A is what will be called here a sticker palette and 18B a ballot form, before voting;
  • Fig 18C is the palette of Fig 18A after voting and
  • Fig 18D is the corresponding voted ballot.
  • each of the example six stickers on palette 18A has the same barcode pattern; preferably these patterns are the same per palette, but at least substantially distinct across palettes. (In some settings, re-use of such patterns for a number of ballots in an unpredictable manner is believed to offer some privacy and provide only minimal risk of abuse, as
  • each sticker shows a symbol pair, a contest number and a candidate identifier.
  • each candidate is shown in the example as being associated with a unique candidate identifier symbol.
  • symbols are taken as lowercase letters from the same prefix of the alphabet,
  • the resulting palette is the encrypted receipt; the resulting ballot is the form that is mailed in or presented to an official or placed in a box or scanned. It will be appreciated that a properly positioned sticker covers the codes for the various
  • part of the system optionally includes at least a scanner and screen to shown the voter the results of the scan.
  • substrate material such as paper, card stock, coated paper or stock, laminates more generally, and various other materials, whether formed from single sheets/coatings and/or fibers and/or yarns. Scratch-off coatings are traditionally formed from latex. Attachment of tamper-indicating is layers is by a wide variety of known techniques, including: adhering around the edge, self-adhesive materials, folded edges, and welded seems. Various tamper-indicating techniques, such as fugitive adhesives, residue layers, aging chemistry, frangible parts, and the like are known from various fields and are readily combined here.
  • Serial number or the like preferably human and machine readable, preferably identify the ballot forms, however, these are optionally protected by various layers not described further for clarity.
  • Information revealed to voters preferably comprises such things as digits, letters, code groups, pronounceable artificial words, various symbols, and the like.
  • Bullets or other identifiers for candidates are preferably from different colors and symbologies that are unrelated to the election issues.
  • candidate and/or question identifiers themselves are optionally used in place of the bullet symbols.
  • Label layers optionally contain arrows associating candidate/questions on one end with mark positions on
  • the codes under the protective layers correspond to the symbol choice in other systems, such as those described with reference to Figs 1-4, Fig 10 and Fig 16.
  • the mappings between voter choices and codes that is preferably destroyed a? by the voter during discovery of the codes can be regarded as defining symbols marking the choices, as would be understood by those of skill in the art, and those symbols would be committed similarly to the way the codes are. Voters can check that the unused ballot parts, such as additional sheets, were committed properly, by not voting them and then
  • One example variation comprises multiple contests on the same form.
  • Another example is multiple forms, preferably attached, such that the voter can choose which form to vote and which to inspect and even check to ensure that it is well formed.
  • the voter is to mark the upper square in case they wish to vote for Dean and the lower to vote for Jones — on this particular example ballot instance with serial number 34824.
  • other ballots each preferably with their own unique E serial number, preferably have substantially independently arrange symbols, such as being cyclically shifted or more generally permuted, as is known from other example voting system such as the so-called punchscan system.
  • the indication to the voter of where to mark for which choice is preferably printed on top of the scratch-off layer shown with 9 round corners and encircled by a dotted line that is printed on the sheet, as indicated on Fig 19A.
  • the example shown is where the indication is as bullet symbols and triangle pointers.
  • Optional and/or alternate examples of arrows and/or color coding are anticipated as well.
  • Fig 19B-C the indication of where to mark has been "scratched off and effectively removed and destroyed.
  • Fig 19B shows the state of the ballot after the voter has selected and marked the upper square. This would correspond to a vote for Dean in the example as mentioned.
  • the marking is shown in the preferred 15 embodiment of scratching-off the layer covering that square. Other marking means are anticipated.
  • Fig 19C illustrates the case where Jones is voted for. It will be appreciated that in both voted forms the voter has substantially in parallel removed layers to protect ballot secrecy and to mark the vote. It will be appreciated that neither voted ballot reveals the i8 actual candidate voted for to the public.
  • FIG 19D-E a combination schematic diagram and plan view of an exemplary embodiment of a ballot form including printing below scratch-off layers in accordance with the teachings of the present invention will 2t now be described in detail sufficient for those of skill in the relevant art.
  • callout numbers are not used and the two candidates are again labeled with symbols O (reverse circle “A") for the first, "Tom Jones,” and ⁇ (reverse circle “B") for the second, "John Dean.”
  • the unvoted ballot would appear substantially as in Fig 19A (or Fig 19F to be 24 described.)
  • the two instances of the ballot shown include numbers printed under the scratch-off regions.
  • the number "98253" under the larger region serves to authenticate that the scratch-off over that region was substantially removed, such as when that number is provided to those running the election; the number optionally servers as all or part of the 27 serial number of the ballot, not shown for clarity.
  • scratch-off is not used for the mark squares but rather the printing is substantially visible and/or 6 hidden by the cover to be described with reference to Fig 19F.
  • FIG 19F a combination schematic diagram and plan view of an exemplary embodiment of a ballot form including cover layers over scratch-off layers in accordance with the teachings of the present invention will 9 now be described in detail sufficient for those of skill in the relevant art. For clarity, callout numbers again are not used.
  • the embodiment shown here optionally is incorporated in the embodiments already described with reference to Fig 19 and Fig 19D-E above as mentioned.
  • the extra large region with round corners indicates a cover over the scratch-off layer 3 shown in Fig 19A already described.
  • Such cover is optionally as mentioned from folded stock, self-adhesive layers, and or otherwise adhered protective substrates.
  • the ballot can be of the forms already described with reference to Fig 19A-C or Fig 19D-E.
  • voters who are to be allowed to vote in a polling place are displayed in the sequence in which they are admitted, at least the most recent part of the display being visible to voters.
  • Certain sensitive information such as private addresses and/or signatures on file, is allowed to be viewed by voters present.
  • Voters or parties are allowed to photograph or otherwise record the images displayed, but these are filtered selectively to protect the sensitive information from being recorded.
  • the poll book is on paper, in others it is automated, and in yet others the book for the particular polling place is in paper but automated information is available for other polling locations within some political subdivision.
  • FIG 20 a combination block, flow, functional, schematic diagram, of an exemplary embodiment of a paper-based polling-place sign-in and forms in accordance with the teachings of the present invention
  • a first step per voter is to locate the voter name in the poll book. In some settings this is accomplished by the voter
  • the poll book is read by an automated device, such as a barcode reader or scanner.
  • an automated device such as a barcode reader or scanner.
  • Next box 2003 shows that an indication of where the voter name appeared in the poll book is printed out.
  • the form number is preferably printed as a pointer.
  • a sequence number for the signature slots and/or ballots in the box is also printed.
  • the voter is to make a handwritten signature, preferably adjacent to and on
  • FIG 21 a combination block, functional, schematic diagram, plan, and pictorial view of an exemplary embodiment of a partly automated paper-based polling-place sign-in and forms in accordance with the 2 teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Three different related parts are shown in Fig 2 IA-C, respectively.
  • Fig 21 A is an example poll book. It is preferably pre-printed and should include the names of all registered voters for a particular polling place. A barcode is shown printed next to each name, as an example to indicate the voter name and/or identity in a readily machine-readable format, although it is believed that text can as well be read by scanners. 8 Also printed is additional information, such as voter address, intended to help voters recognize their own entry and to allow other voters and/or observers to assess the validity of the poll book. Also shown is provision, as will be appreciated, for a mark to be made as already explained with respect to Fig 20, that links a used entry to the printed signature roster 1 form to be described with reference to Fig 2 IB.
  • a printed form and device are shown, where the so-called "reel-to-reel” approach to printing 7 is used as an example.
  • a protective cover with an opening for voters to sign directly onto the paper that is preferably transparent to allow voters and other to view at least a part of the previous entries.
  • what can be photographed is differentiated from what can be seen, as already explained, such as by use of colored filters or 0 other techniques described elsewhere here.
  • a mechanical shaft protruding from a part of the device will be understood to indicate that operation of the log by an increment for a signature can optionally allow another mechanism to advance.
  • Examples include devices that give access to forms, voting machines, or voting machine access authorizations means.
  • J In the example, Joe Jones has signed his name as the 25 'th actual voter in the poll book voting at this polling place. The signature stored electronically for him, however, has not yet been printed. As already explained with reference to Fig 20, the signature on record is preferably printed or viewable only after the purported voter has made a signature. It , will be appreciated that no signature is of record for the person filling provisional ballot request form "P15," although one was on record for voter D.J.
  • Fig 21C an example provisional, contested, wrong-precinct, or other type of form is shown that is to be used in case a voter is not in the poll book correctly.
  • a variety of information is required to be filled on the form, such 3 as by the legal setting and operations, an example of which is shown for concreteness.
  • a mark, shown as the word "recorded” is stamped on ⁇ the form to indicate that the corresponding log entry has been created and that the voter has signed it.
  • FIG 22 a combination block, functional, schematic diagram, plan, and pictorial view of an 9 exemplary embodiment of a manual paper-based polling-place sign-in and forms in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art.
  • Three different related parts are shown in Fig 2 IA-C, much as with the partly automated version of Fig 21 already described.
  • the poll book Fig 22A is without barcodes and instead of marking by sequence number stamps during use, sticker are adhered to it that include the signature formed by the voter and a pre-printed sequence number.
  • a substantially mechanical device that allows a single sticker and number position to come under the opening in the transparent cover.
  • the number written is the poll book position of the corresponding voter (or the form number). This number is preferably written by an election worker.
  • the voter signs the 3 sticker through the opening and a carbonless image of the signature is transferred to the paper form that is shown with tractor feed.
  • Carbonless stickers are believed known in the art, but in any case are readily formed as a carbonless paper that receives a pressure sensitive adhesive only around its periphery and that is adhered to the form for instance on an area i coated with a release material.
  • the sticker is then removed and placed on the corresponding position on the poll book. (An output shaft symbol is included, for purposes such as those already described with reference to Fig 21B.)
  • ballot box "stuffing” which is used here to refer to the addition of ballots that 0 have no corresponding entry in the poll books, thereby creating more ballots than poll-book entries but hiding which are the improper ballots.
  • serapping which is used here to refer to the interchanging of ballots that will be counted with other ballots, either totally fake ballots or ballots actually cast that would not otherwise be counted, such as 3 provisionals that are not positively adjudicated.
  • Different systems can be used for different voters in the same election. For instance, some voters may vote at their home polling place and others may vote provisionally.
  • the former need only a system that guarantees that each vote will be counted; the latter need a system that allows the votes to be divided after the election between those that will be counted and those that will not.
  • encrypted votes are also included.
  • write-ins are optionally not encrypted, but other votes are.
  • counterfoils, as well as optionally interfoils have encrypted votes on them. It is anticipated that substantially any embodiment disclosed here can be augmented to include encrypted votes or B to substantially run along side a system of encrypted votes.
  • a voter uses more than one object to vote, in some examples, and the voter preferably chooses these objects.
  • the way the choice is made is preferably so that the voter can ensure the randomness of the choice and that the choice made is 9 substantially hidden from the poll workers, such as by being taken or dropped from a rotatable hopper or by reaching into a box or bag.
  • Tin ' s is believed to ensure that the linkings would not be known to those who have scanned the forms in advance.
  • Envelopes and/or scratch-off coverings for example, optionally, are used to obscure the identifiers and/or
  • Redundancy developed by including linking to a poll book entry as well as a receipt is believed to have the advantage that both can be used separately, providing two avenues for audit.
  • also linking such poll book is entries and receipts allows a kind of voter audit of the link between receipt and poll book.
  • a "stub" that counterfoil remaining after a ballot is removed from a poll book or booklet of ballot forms, links physically to an interfoil or ballot form and optionally also to a corresponding receipt.
  • Modification of the votes on a ballot is preferably protected against.
  • Indelible inks and punching of holes are examples of permanent marks as is the fused toner of a copier or a chemical reactive ink system that is "fixed" to prevent further development of images.
  • the marks can be made difficult to duplicate, such as by using special punch patterns or special pens/pencils, even with morphing color patterns
  • a special no-vote mark serves as protection for voters that un-voted contests will be voted for them by those gaining access to the ballots. Publishing scanned versions of the ballots as soon as possible gives less time for improper modifications.
  • voting means are by microstructure that requires special equipment to read, such as light, magnification, chemical development, electromagnetic readers, etc.
  • a so further feature of a hiding system involves a substantially irreversible step that leaves evidence that the information was read.
  • irreversibility is by well known latex scratch-off protection.
  • Such means have the further advantage that identifying numbers can be printed next to each microstructure for ease in verification, particularly for voters.
  • Indicia are optionally on one side of a linked interface or different indicia on different sides of such an interface including with cryptographic linking.
  • ae Five exemplary embodiments are described, the second having two variants.
  • the first embodiment and first variant of the second embodiment are not believed to rely on an accounting of the forms used; the other variant and embodiments do.
  • Such an accounting is preferably against published lists of form microstructures, and is optionally augmented by
  • FIG 23 a combination schematic and plan view of an exemplary embodiment of an interfoil and counterfoil arrangement in accordance with the teachings of the present invention will now be described in detail 9 sufficient for those of skill in the relevant art.
  • An example system is as follows: Each form is comprised of a ballot and two foils. The counterfoil to the ballot, that is part of the form separably attached to the ballot, is called here the “interfoil.” The interfoil itself has a counterfoil, which will serve as the voter receipt.
  • Microstructure such as paper fiber 2 pattern, fiber/planchettes in whatever matrix, and or sandblasted region, believed hard to duplicate is in regions on the forms, such that splitting the form at a parting line of the region lets each half be a kind of "signature" that is readily authenticated as matched with its counterpart.
  • the interface between the s interfoil and receipt is also for convenience printed with a barcode, each bar of which extends across the parting/perforation line separating the interfoil and receipt.
  • Each receipt also preferably bears the barcode information as human-readable indicia.
  • Voters keep their receipts but deposit both the ballot and interfoil into ballot boxes.
  • the interfoils are successively tumbled and scanned three times as follows: (i) The first scan, after the first tumble, is of the receipt number part (and is optionally used to divide the 1 interfoils into batches, as described later, but a single batch is considered further here in this example for clarity), (ii) After the second tumble, signatures of, say, the middle section of the interfoil are scanned and posted, (iii) Then, after a third shuffle, the remaining interface, that between the ballot and interfoil, is published.
  • this 4 particular exemplary tumbling and scanning is believed to have the advantage that the scanning apparatus can be arranged to only be able to see each signature area during the corresponding scanning pass and the signatures can be published as they are read.)
  • the ballot images are preferably themselves published paired with the corresponding signatures, though it 7 is believed integrity can be maintained without this step, through adequate accounting of the ballots.
  • the interfoils can be divided into separate batches and all subsequent processing carried out on each batch separately.
  • three batches are 0 used: regular ballots, provisional ballots to be counted, and provisionals not to be counted. The rest of the processing described is carried out for each of the batches, three in this example, separately.
  • the "challenge choice" is made, such as by a lottery style draw followed 3 by cryptographic expansion of the draw result, so that one bit is associated with each interfoil signature.
  • the interfoils are tumbled for the fourth time and parts of them are removed: if the bit for a particular interfoil is set, the receipt interface signature is cut away from that interfoil and destroyed; if the bit is reset, the ballot interface signature is cut away and 6 destroyed. What remains of the interfoils is posted and made available for physical audit in its final ordering.
  • the ballot counterfoil interfaces are preferably printed with unique identifiers (preferably after voting or at least preferably not readily readable by voters) and these are associated with the counterfoils that corresponded to set bits of the challenge 9 choice. Any voter is preferably allowed to check that the receipt interface published matches that which they physically have, using the unique identifier to facilitate the lookup. Any ballot with a published interfoil interface signature should be physically auditable by interested parties.
  • Both ballots and receipts have counterfoils, that of the receipt is numbered including by barcodes, preferably in some examples the bars of which as in the earlier example extend over the separation lines.
  • Interfoils in some embodiments taking the form of overlay stickers, are able to be affixed between the counterfoils.
  • the interfoils can be attached to the ballot signature portion of the ballot, on one side, and the receipt/affidavit counterfoil, on the other side.
  • the identifying numbers and unique microstructure detail are posted in advance for each interfoil object, such as the overlay interfoil shown.
  • the microstructure regions of the counterfoils are at the parting lines, those of the interfoil preferably located away from where the counterfoil will affix; when the interfoil is affixed, the ballot and receipt parts can be separated, such as by die or perforation shown.
  • a "cover" layer on the interfoil part can protect the privacy of any microstructure and particularly any indicia that may optionally be printed for convenience in use.
  • a voter chooses a ballot and interfoil, preferably independently at random from a collection of each (preferably giving the voter confidence that which instances the voter uses are not known to others, such as those running the election).
  • the receipt can, for example, be given to the voter, be a counterfoil itself from a poll book, and/or an affidavit form.
  • the voter in the first variant chooses which counterfoil the interfoil will be associated with;
  • the decision is made at once for a set of ballots, each ballot getting a bit that results from the challenge choice.
  • the voter is to attach the interfoil to one of the two counterfoils, destroy the other counterfoil, and put the attached foils in the ballot box.
  • the voter puts into the box the fully assembled combination of the two counterfoils affixed to the interfoil.
  • those running the election are, preferably prior to voting, to post images of the foils and put them on display or otherwise make them available for audit; in the second variant, a challenge choice determines which pairs are to survive and be made available for audit and as a consequence which counterfoils are to be severed from the interfoil and destroyed.
  • Audits in either variant should include the ballots voted, preferably both in a digital and physical form. Also, voters are preferably able to see that their receipts are among those posted, by number, and can even check the microstructure of their receipts against the posted image.
  • the published records should be checked for consistency among themselves, such as lack of duplication of signatures. Auditors should check at least their own random sample of each of the available forms for consistency with the published record.
  • those components that were unused but not excluded from the accounting (such as by a polling place or other subdivision designator indelibly included in the object in advance) are preferably all made available for audit. Consistency checking should include particularly that exactly only signatures from the accounted set of signatures are used.
  • Voters are to take two stickers from a tumbler hopper or the like, so that the voter has some confidence that the stickers are not known to correspond to each other or to B the voter, and apply one to the ballot and take the other home as a kind of receipt.
  • the receipt sticker can in one variant be applied to a counterfoil from a poll book before being provided to the voter, thereby providing a linking to the poll book or at least the page.
  • Voters can check the validity of the receipt against the published list and auditors can check the ballot 9 stickers against the same list.
  • a cover layer not shown can provide protection for indicia, such as against voter or polling- place observer, until they are needed in processing.
  • this embodiment bases its efficacy on an accounting of the stickers. If a known number of 12 stickers are lost (and they can neither be counterfeited nor moved between forms), then it is believed injecting fake ballots into the pool would be limited to one per lost sticker. As mentioned elsewhere, indelible markings on stickers that divide them into collections that are not too small as to pose a privacy problem, such as per precinct, can be used to exclude is collections that have fallen into the wrong hands.
  • a second variant of the third system differs from the first variant already described in that instead of stickers each ballot has two counterfoils.
  • a voter is to remove and keep one counterfoil as the receipt and leave is the other intact. Which one the voter takes should be clearly the free choice of the voter.
  • Each counterfoil has a microstructure and human readable identifier, at least the identifier being covered by scratch-off latex or the like (all much as in Fig 23) but not shown here for clarity. Otherwise, the counterfoils act like the stickers of the first variant.
  • An exemplary system is as follows: This system handles provisional votes; it is well suited for combination with the above described third system, which cannot handle provisional votes. Voters are divided between the two systems, even though ballot forms from the same set are optionally used. The foils used are optionally self-
  • the ballots and matching affidavits each provisional voter receives are connected by a split sticker/foil, as shown in Fig 26A.
  • Voters choose a second sticker from the same batch and are to take it home, preferably adhered to something, such as a poll-book or affidavit receipt, in order to prevent its re-use for another purpose, and optionally split between the
  • the affidavit itself receives one part of the second split and the other part is a counterfoil receipt for the voter.
  • the voter can take an entire split affixed to a receipt backing, as shown more particularly in Fig 26B. ae After votes are cast, affidavits are adjudicated into "to be counted" and “not to be counted” classes, and each affidavit sticker split is preferably marked accordingly by an indelible means, such as a corresponding punch shape, on the sticker portion as well as preferably on the form itself. After an audit of the affidavits, the affidavit stickers are
  • the numbers on stickers affixed to the ballots should preferably also be revealed at the same time.
  • the ballots corresponding to the numbers in the to-be-counted batch of affidavit stickers is then ready to be counted and the ballots in the other batch are not counted but preferably checked for match as well. (It is anticipated that a variation uses false ballots to mask the provisional ballots.)
  • this scheme bases its efficacy at least on the stickers not being counterfeitable or transferable among forms. And further, the severing and tumbling of the stickers must be carefully observed for substitution of numbers that would have been pre-arranged to correspond to fake ballots; unless, there is an accounted limit on the number of stickers available, such as already described publishing of all the sticker numbers before the election. The number of stickers unaccounted for is the number of votes that can readily be cheated unless the cutting and tumbling is watched.
  • the system is a hybrid of encrypted vote and signature techniques.
  • the signatures are used mainly for write-ins, but also allow clear attribution of cheating in the case of disputed receipts.
  • voters fill at least two layers of ballot form.
  • An upper layer shows a set of choices preferably in permuted ordering (and/or positions not included for clarity), comprising the encryption of the vote.
  • a lower layer onto which the marks made by the voter on the upper layer are transferred, such as by carbon/carbonless copy paper, can also be written on directly by voters.
  • the voter is to fill the oval for the choice labeled "write-in" on the upper layer and then write on the lower layer, in the corresponding space provided, to record the name that is to be written in.
  • the lower layer is preferably divided, and physically dividable, into regions for each write-in vote (or optionally contest that allows multiple write-ins). And each such region preferably contains a signature.
  • Associated with such a signature preferably by published cryptographic commit and/or also by printing on such region, is an indication of which position the transferred mark must be in to indicate that the voter has voted the write-in ballot position on the upper layer and not instead voted a candidate position. If the transferred mark is in this position, it is counted; if it is not in that position, it is not counted.
  • a signature is also preferably included on at least one page other than the page with the write-in regions, including preferably at least one of a receipt layer and/or a layer retained centrally. All signatures used are preferably posted/committed in advance, to allow audit of the forms themselves.
  • One example type of such audit anticipated in the co-pending applications is that voters themselves would be allowed to take more than one form and can then look that form up later to verify that it contains the proper indicia.
  • Another example type of audit, believed made effective by the signatures having been posted is posting and display of randomly selected ballots.
  • One example way to select such ballots is before an election using whatever physical randomization or lottery-style random draw techniques. This has the advantage of detecting bad setups before an election would have to be re-run.
  • Another example way to select forms is to allow voters to choose their own forms from a batch of forms and then use all the remaining forms in audit, which has the advantage of making good use of extra form capacity.
  • the signatures are committed to in advance by posting each and the signatures are grouped into lexicographically ordered sets for each part of the form and each contest witln ' n the write-in pat of the form.
  • Posting encrypted signatures preferably using the known types of encryption that ensure exactly one decryption, is believed to impede some cheating scenarios.
  • the commits for the lower-layer signatures are opened only once the write-in regions that have been filled are committed to, such as by being posted, again believed to impede some cheating scenarios.
  • encryptions of information about the signatures are used to tie two parts of the same form together.
  • a receipt page and a part that bears the encrypted votes can be linked by each having a 3 signature with a commit to the pair of signatures published. The association is thus hidden from those who merely see the forms, but can be determined and even revealed using the decryption keys.
  • encryptions of information about the signatures commit to which position is the write-in corresponding to each region, and thus allow a physical e write-in region that includes its signature to be sufficient to determine whether a name written on it should be counted.
  • Box 90501 begins with manufacture of the ballot articles with suitable microstructure regions. In one example, this can be ordinary paper, 2 preferably with a printed boundary indicating the microstructure region, other examples already having been described more generally.
  • box 90502 is the manufacture of the interfoil objects along with the posting, such as on the Internet or in a recording medium, of the corresponding identifying signatures. This establishes a "universal set" of all valid s interfoils; further marking these partitions them, such as into batches per precinct, so that for instance supplies compromised for a precinct can be left out as mentioned.
  • Box 90503 is the top of the loop for the steps by each voter, although some voters may "bolt" and not finish all 8 steps. More than one voter, naturally, may be performing these operations at the same time.
  • Box 90504 includes the standard signing in of voters by marking a poll book, such as a manual paper poll book. It also includes the voter preferably being able to choose the ballot form from a collection of substantially identical ballot forms, preferably in a 1 way that which form which voter gets is not known to those operating the polling station. Also, the voter preferably chooses the interfoil in like manner. Where an affidavit is used, for provisional voting, not shown for clarity, it would be provided and filled at this point.
  • the voter fills the ballot in the booth, as usual.
  • the 4 voter as called for in box 90506 combines the interfoil with the ballot part and receipt/affidavit part by affixing them together and then separates the ballot and receipt parts from the new combined part.
  • the voter in the booth accomplishes this without assistance; in other examples, apparatus automates this step in the booth or outside of the 7 booth.
  • the voter completes voting as shown in box 90507 by placing the ballot and interfoil configuration separately in one or in two ballot boxes.
  • Step 90509 is the facility for voters to check that the signatures that they have received on the receipt or affidavit is one of those listed. 3 It will be appreciated that some posted signatures will not ever be matched by voters, at least because they were not issued; however, this is believed not to pose an issue to the integrity of the system.
  • Step 90510 represents two successive scans of the interfoil sets, each scan preceded by a tumbling of the interfoils. s In the example shown, first the interfoil signatures are read and then in the second scan the ballot part signatures are read. As mentioned elsewhere, it is believed advantageous that the scanning can post the outcome as it is scanned and that the physical apparatus can be observed as only having access to the part of the interfoil that it is supposed to for the particular 9 scan underway.
  • Box 90511 is the creation of the challenge choice, preferably by a mutually trusted random process once the signatures are committed to. In some examples this can, as mentioned, include a lottery draw type of public random a number selection with an agreed method to expand the random number into a sufficiently large string of bits if needed.
  • expansion functions are the so-called cryptographic "pseudo-random sequence generators," about which a substantial there is substantial scientific literature, combined with a complete ordering of the interfoil signatures, 6 such as a lexicographic ordering.
  • the interfoil sets are after being tumbled physically divided by bulk handling into two batches, one for each bit value.
  • Box 90512 shows the final tumble and severing of the parts from the interfoil that are dictated by the 9 challenge choice.
  • the scanning apparatus is loaded with the choice information per receipt or affidavit number or signature. Then, when an interfoil set is scanned, that number is looked up and if the corresponding bit is set, that signature is physically severed from the interfoil and destroyed. If the bit is reset, then the 2 ballot signature part is severed and destroyed.
  • Box 90513 shows the opening for physical inspection in audit of the physical parts of the interfoils that remain after the previous step and/or the auditing of the information posted. 5
  • FIG 28 a plan and schematic view of an exemplary embodiment of a ballot with write-in in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the 8 relevant art.
  • Three primary “pages” are shown on a form preferably on a single piece of paper, though separate pieces and secure binding between them is an option.
  • the top page looks like a traditional optical scan ballot, but the candidate names are in a permuted order for this particular form instance, which happens to have serial number 6-453-493-Z.
  • the 1 instructions with the "write-in" oval ballot position indicate that, in order to cast a write-in vote, the voter should fill the so-labeled oval and write the name on the inner page.
  • the inner page instructs the voter to print the name in the rectangle provided. It also warns the voter not to have any part of the form physically placed below the page while 4 writing the name on it, which is to prevent copies of the names from being made on other sheets.
  • a single sheet of paper is shown with all three pages, three up, side-by-side, with perforation lines dividing the pages for ease in separation by the voter.
  • the printing is on both sides; the backside of pages with printing is shown for 7 clarity, as will be appreciated, grayed out as a dot pattern.
  • the side shown facing up in Fig 28A is uncoated; the opposite side, that shown facing up in Fig 28B, is preferably coated with a well-known carbonless copy coating known as "cs" or "self-contained.” With such coatings, writing pressure makes visible marks by rapturing microcapsules containing die 0 precursors that are developed by other chemicals in the same coating layer(s).
  • the inner page and bottom page are facing each other and below the top page.
  • filling an oval on the top page using sufficient pressure applied to a writing instrument should cause visible marks 3 over one of the dots on the inner page and over a corresponding dot on the bottom page.
  • the writing pressure is sufficient for a mark on the inner page to be developed, it is also sufficient for substantially as dark a mark to be developed on the bottom page, since no paper separates the two facing cs coatings.
  • the 6 marks made on the top page also transfer to the underside of the top page, mirrored, because of the cs coating. This allows the backside of the top page to reveal the encrypted votes but not the plaintext votes.
  • Microstructure signature regions are shown on each of the three pages, all on the same side for convenience. 9 Encodings of the microstructure for each are, as mentioned, posted before the election, each in a separate set: one set for all the front pages, one set for all the inner pages, and one set for all the bottom pages. If there were more contests with write-in positions, there would be corresponding write-in regions, and preferably each would have a signature and be 3 posted in a corresponding set. Additionally, associated with each signature for a write-in region is an encryption of (or
  • the forms are made and 6 printed and the signatures are scanned.
  • the signatures for a page are then preferably posted, preferably in lexicographic order (optionally encrypted as mentioned already).
  • the signatures on the inner page are for convenience posted along with the corresponding serial numbers.
  • a cryptographic commitment, preferably tied to the signature(s) on the inner page, 9 is preferably posted as to which oval would need to be filled for the (corresponding) write-in to be counted. But preferably nobody knows which serial numbers the signatures, apart from those on the bottom page, correspond to.
  • Another commit is preferably published locking-in but hiding to which serial number the signature on the backside of the 2 top page corresponds.
  • the encryption keys are maintained by at least one trusted entity.
  • Voters receive a form, say, at the polling place. In the booth, they then fill the oval corresponding to their vote using a preferably special pen or pencil. To vote write-in, they fill the third oval from the top in the example shown, the 5 one that is labeled "write-in" where the candidate name would otherwise be; then they open the form up and write the name of the candidate they prefer in the box on the inner page.
  • the voter separates the three pages along the perforation lines. The bottom page is kept by the voter as the receipt, as indicated by the text on it. 8
  • the top page is placed in a ballot box, as is the inner page.
  • the top page is optionally counted manually, as is well known, such as for a preliminary total, fallback, or double check.
  • a digital capture of the vote, apart from write-ins, is accomplished by, for instance, scanning the top page or its mirrored image on its backside. Scanning the backside of the 1 top page is preferable, as it gives the encrypted vote without exposing the cleartext vote. (Another option is to scan the image on the inner page and preferably use a separate signature to link it to a serial number as has been described for the backside of the top page.) Processing of encrypted votes, with the voter being in possession of the receipt containing the 4 encrypted votes, is known in co-pending provisionals/applications by the present applicant hereby included in their entirety by reference.
  • the write-ins on the inner page are preferably scanned along with reading the adjacent signatures.
  • the decryption ⁇ related to the signature reveals the pre-determined write-in position. If this pre-determined position matches that of a unique transferred mark, then and only then is the write-in counted.
  • An image of the write-in region is posted and the physical piece of paper, preferably cut away from any other write-in regions, is also made available for inspection.
  • the 0 decryption of votes mentioned above, is believed to reveal the total number of write-in ovals properly filled for each contest. Only this number of write-in regions is believed strictly needed to be displayed/posted, in systems where all contests are voted or marked as un-voted. But, since guarantees of indelible marking on all ballots may not be adequate in 3 some implementations, it is preferred that in such implementations all regions be displayed for verification.
  • An affidavit is currently required in some election settings, such as some provisional and absentee voting.
  • a separate affidavit form bearing the receipt serial number is believed adequate. It is anticipated, however, that voters be 6 allowed to retain copies of such affidavits, such as carbon/carbonless copies, optionally bearing some authenticator(s).
  • Box 90701 is the production of the ballot forms.
  • One aspect of this is the 3 physical production of the paper, perforations, and folding.
  • Another is the scanning of the signatures.
  • a further aspect is the printing of the receipt numbers.
  • the printing of the encrypted contest descriptions is preferably possible at a later time, such as with so-called demand printing.
  • a Box 90702 includes the posting of the signatures. As already mentioned, these are posted in batches.
  • Box 90703 is the top of the loop for the voter process example for clarity in a polling place and provides the steps 2 for a voter experience, many of which may occur in potentially overlapping times during the voting period.
  • Box 90704 is the marking of the poll book and the issuing to the voter of the ballot and, in the case of provisional (or vote-anywhere) voting, an affidavit.
  • Box 90705 shows the voter marking the ballot for contests that either do not have write-in or for s which the voter does not vote write-in.
  • Box 90706 is the voter filling any write-in names on the inner page, after having marked the corresponding write-in position on the top page in box 90705.
  • box 90708 shows the voter keeping the 8 receipt and the placing of the other two pages into separate ballot boxes or a combined box. It is anticipated, however not shown for clarity, that the voter optionally displays the encrypted vote backside of the top page to a poll worker or to a digital camera device for instance, in order to provide a check that it was filled properly and/or to record the encrypted 1 vote.
  • box 90709 first the scanning of the encrypted votes is shown, although this optionally is a residue from the camera of box 90708. Also the signature related to the page from which the encrypted 4 votes are scanned is preferably read at this time. Then, also shown, is the posting of the encrypted votes along with the receipt numbers. In the example, this number is determined by decryption of the commit to the pairings of signatures and numbers mentioned. Box 90710 shows voters then being able to check, preferably online, that the encrypted votes on the 7 voter receipts do in fact match those posted under the matching receipt number.
  • Box 90711 shows the process of public decryption of the encrypted votes, as is known.
  • Box 90712 is the creation and posting of the unpredictable challenge choice used in the audit of the encrypted votes.
  • box 90713 is the scanning o of write-in regions and the marks copied on the regions from the ballot marking. Also, included is the capture of the corresponding signatures.
  • the write-in regions are preferably physically separated and independently re-ordered, so as to reveal less information. Also, it is determined which write-in regions are to be counted.
  • the actual OCR and/or human 3 recognition of the names to be counted is optionally preferably done at this time, so that what is posted does not include handwriting or other additional information.
  • Box 90714 is the publishing and displaying of the various keys and signatures for audit. Included among 6 the keys are those used in known manner for the decryption of the encrypted votes. Also revealed are the keys establishing the correspondence between the receipt numbers and the backside of the top page. Included among the parts to display are preferably all the write-in regions and their attached signatures. It is anticipated that in case of dispute over 9 the published image of particular receipts, the backside of the top page would be shown along with its signature.
  • Figure 30 a detailed plan and schematic diagram of an exemplary punchscan ballot with write-in 3 in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art.
  • Fig 30A Shown in Fig 30A is a modified version of the un-voted ballots already described with reference to Fig IA- B.
  • a "write-in" option has replaced one of the candidate choices, as will be appreciate, and a microstructure s signature region with associated apparently random identifying indicia has been added, all below a perforation line and on both layers.
  • a corresponding example write-in voted version of each layer is shown in Fig 30B 3 where the write-in position has been marked by the voter, much as explained with reference to Fig IC-D, but the name of the 9 desired write-in candidate is then also written in by the voter on the line provided.
  • the write-in part from the layer that would be destroyed is preferably separated and placed in a kind of 1 s ballot box; with mail-in or manual voting, the write-in is of course on the part mailed or placed in the box and optionally is not separated.
  • a results table entry shows a vote for a write-in (as shown by the marking of the middle position, "B" in the present figure)
  • the second set of transformations is used to show that it does map to one of the posted set of is write-in signature identifier numbers that has been written in (without revealing which one).
  • the corresponding commits are preferably opened for checking during audit of the writ-in counterfoils. So that voters can check that the microstructure signature on the write-in part/counterfoil of their receipt does match that committed to, all the commits for ?” microstructure of the receipt parts are also opened.
  • a limited number of write-in lines are available to the voter and the voter is to identify both the contest and the desired candidate on whatever write-in line the voter chooses. Rows in the 24 intermediate table of the transformation in this case preferably would appear to allow each result entry to map to the corresponding write-in (respecting any partitioning of results entries as mentioned elsewhere). In other examples, such as with asymmetric ballot forms, like those to be described with reference to Fig 31, it is believed that the transformation is r/ preferably not used.
  • FIG. 31 a detailed plan and block diagram of an exemplary ballot with write-in in 3 ⁇ accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art.
  • the ballot form is substantially similar to that described with reference to Fig 17, although only the first contest is shown and the write-in choice is included in it between the first and last candidate in alphabetical order, as with 39 Fig 30, for clarity. Additionally, it differs in that the write-in space and identified microstructure region are added, much as in Fig 30, with the parts arranged over the four surfaces as shown. While 3 IA shows the un-voted top, 3 IB shows the un-voted bottom, both two up.
  • 31C is an example write-in voted front and back view of the left sheet from a 3 IA-B
  • 3 ID is an example write-in voted front and back view of the right sheet from 3 IA-B.
  • the writing in is to be done by voters on the sheet that is turned in, and thus is done on the back side of it. This optional feature is believed convenient as the voter is less tempted to leave a carbon image of the write-in on the e receipt, and with some carbonless techniques described earlier may not be able to create such an image.
  • the receipt sheet and online images after voting are not shown, as they are substantially as in Fig 17.
  • Another example use of the present techniques relates to so-called "spoiling" of ballots.
  • the ballot is preferably prevented from being tallied and this process is referred to as spoiling. It is believed that a spoiling procedure should preferably not be possible for poll- workers to carry out on a ballot previously thought to have been cast by a voter. It is also believed that a spoiling
  • both the voter and the poll- workers should each obtain a part of each part of the ballot form. Two copies of the serial number are preferably included
  • the voter gets a serial number from each layer and the poll- workers keep a serial number from each layer.
  • the rest of the ballot is preferably shredded. Similar perpendicular partitioning is applicable to other two-part ballots. With one-part ballots, the ballot itself
  • Microstructure signatures help authenticate the parts of a ballot, and are preferably included at least on each piece of paper kept as a record/receipt of spoiling.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Time Recorders, Dirve Recorders, Access Control (AREA)
  • Credit Cards Or The Like (AREA)

Abstract

Disclosed are voting systems based on paper ballots (20110, 20133) that provide integrity of the election outcome through the novel us of encrypted votes and other techniques. In some example embodiments, holes through layers allow voters to see and mark symbols on lower layers, carbonless coatings allow voters to obtain substantially identical marks on facing surfaces, self-adhesive stickers are removed from one position and placed by voters hiding vote-revealing indicia on a second position, and scratch-off layers bearing vote revealing indicia are destroyed while being removed to expose coded information. Simplified cryptography for realizing these systems also presented. Related systems allow those with various disabilities to develop and check voted ballot forms (20110, 20133) that are substantially indistinguishable from those voted by other voters. Inclusion of write-in votes is provided for. Also provided are inclusio of provisional ballots and spoilt ballots and integration with registration sign-in.

Description

BALLOT INTEGRITY SYSTEMS
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates generally to election systems and more specifically to security and privacy in such systems.
3
2. Description of Prior Art
The present application claims priority from the following United States Provisional Applications, by the present applicant, that are hereby included by reference in their entirety: (a) US Provisional application number 60/716215, titled s "Symmetric punched and daubed ballot systems," and filed 9/12/05; (b) US Provisional application number 60/740007, titled "Tactile audio encrypted ballots and receipts," and filed 11/28/05; (c) US Provisional application number 60/740131, titled "Auditable efficient election protocols," and filed 11/28/05; (d) US Provisional application number 9 60/758280, titled "Paper encrypted vote and receipt systems," and filed 1/12/06; (e) US Provisional application number 60/788412, titled "Receipt voting systems," and filed 3/30/06; (f) US Provisional application number 60/834760, titled "Scratch-off voting systems," and filed 7/31/06; and any other related such applications. 2 Various techniques for producing, rendering, controlling access to, voting, capturing, posting, counting, and auditing election systems are known.
It is believed that a central issue in election systems is their ability to convince voters that the votes of all valid s voters participating in the election are correctly counted.
Another issue in voting systems is ballot secrecy, which should prevent other than the voter from learning how the voter voted, with or without cooperation of the voter. When paper ballots are used, it is believed desirable in many s settings that the form used to capture the vote does not bear the cleartext vote but rather an encrypted vote. For instance, this allows those transporting ballots and polling place scanners to be kept from learning the cleartext votes. Partly related, at least in some settings, is the issue of to what extent ballots voted by different groups are readily distinguished. 1 Some systems can process ballots from multiple sources into a single batch of outcomes, but the ability of those operating the system and supplying the forms to discriminate or track batches of ballots can be an issue in some settings.
It is known that election outcomes can be substantially affected by the order in which candidates are placed on 4 ballots. So-called "ballot rotation" systems are presumably aimed at addressing this, but often are imperfect in concept and introduce additional costs and errors in implementation. Also, where voters can be seen from a distance, the order of candidates being readily determined, such as even with standard rotation systems, allows their choices to be more readily 7 recognized. Nevertheless, in some settings, particular ballot orders are required by law and/or desirable for ease in locating candidates. Systems that allow full control over order has the advantage of being well suited to the range of such settings. Another desirable characteristic of voting systems in some settings is universal applicability of a ballot form. Thus, the voter votes the same form whether using a polling place with automation, a polling place with only a ballot box, a
3 polling place in which automation has failed, or mail in or otherwise delivered ballots. From the perspective of voter experience, a common ballot form has advantages in terms of voter education as well as for voters that would otherwise have to use different forms in different settings. a Demand printing of ballots is attractive, particularly for large number of "ballot styles" where flexibility in election processes is desired. For instance, voters who wish ballots in particular languages and/or those who would like to vote at a polling place that has a different ballot style from their "home" polling place. The ability to use ordinary
9 commercial printers, such as those currently made for offices or even consumers, is believed attractive from a cost and scalability perspective.
Substances added to ballots, such as coatings, can have environmental and/or toxic effects and be problematic for 2 recycling, and thus may have additional costs and/or be undesirable in some settings.
It is generally believed, and actively advocated, that voters with disabilities should be able to vote in a way that is autonomous, makes their votes indistinguishable from those of other voters, and provides them with the same level of s verification and protection against improper influence as other voters. The present application is in one aspect oriented towards obtaining the advantages of encrypted ballot/receipt systems for voters who cannot read the ballots and/or mark it. This is directed at attendance voting settings using machine-read ballots, such as where voters vote at polling places s using so-called "optical scan" systems.
There are, generally speaking, three known approaches for obtaining marked paper ballots where the voter is present but need not see indicia on ballots, and in only one do the voters actually mark their own ballots. i The first approach may be called "human assisted" marking, and varies by jurisdictions. It does not provide autonomy, because one or more persons assist the voter in the act of voting. Some jurisdictions, for example, require voting with the assistance of a poll worker, who typically is to read the ballot aloud to the voter and to record the 4 responses uttered by the voter. Unfortunately, it may be particularly difficult for a blind person to ascertain with certainty who overhears their votes. Not only does this give poor voter privacy, but it also facilitates various types of so-called "improper influence," such as at least potential confirmation in vote buying or coercion schemes. Integrity issues are also 7 raised, since there may be little to ensure the voter or others that the poll worker records the votes faithfully. In other jurisdictions, representatives of multiple parties are required to assist the voter, thereby improving integrity but at the expense of further reduced autonomy and secrecy. In yet other jurisdictions, the voter may bring a person of the voter's o choice. This is potentially better as far as voter concerns, although it enables some improper influence schemes. In some countries it is allowed for more than one person to enter the booth (or even for proxies to vote), such as family members or those in possession of certain documents. While such permissive schemes may offer some convenience, they facilitate 3 various kinds of fraud and improper influence, and are not considered further here.
The second known approach may be called "automated" marking, such as with machines developed by Vogue Election Products & Services of Glen Ellyn, Illinois. These are essentially so-called "DRE" (Direct Recording Electronic) 5 voting machines. Instead of recording the vote electronically for later transmission by those running the election (often through a physical device anyway such as a memory card), however, they print the vote as a form that is provided to the voter for casting. In some cases a pre-printed form may be scanned in or otherwise loaded by the device and only the 9 votes are marked on it by the device's print engine; in other cases the form may be rendered and printed completely by the device. In addition to audio voting interaction, as with DRE's, displays may offer enlarged or otherwise enhanced images readable by those who would not be able to read the ballot directly. One additional considerable advantage of
3 audio capability generally is that sited but illiterate voters can also use it. Furthermore, it is believed often less costly, time consuming and cumbersome to generate audio in various languages compared to typesetting and laying out corresponding forms. There are, however, believed to be substantial procurement, storage, and transportation costs, as e well as reliability issues for such hardware devices, which apparently integrate printers and scanners with touchscreen user interfaces. A fundamental shortcoming of the approach generally is believed to be that, even in the best case, when the device marks standard ballots, the ballots are readily recognized as having been marked by machine.
9 The third approach may be called that of "tactile" marking. One example is Braille ballots. These can only be used, however, by the small fraction of the blind population (believed sometimes estimated at roughly 5% of the legally blind in the United States) who are currently able to read Braille adequately. Of course the ballots would also stand out as 2 having been voted by the blind. A hybrid Braille and ink ballot would address this issue, but would not be very practical, as it would greatly increasing the size, thickness, handling difficulty, and cost of ballots and processing.
The other major example of the third approach, called here "tactile audio," relates to the so-called "tactile ballot 5 templates." These are believed to at least have been used, for example, in public sector elections in Rhode Island, Canada, Peru and Sierra Leone. They provide in essence what may be called a "guide," such as a sheet of relatively rigid material held in alignment with the ballot paper, which includes openings where marks are allowed. In addition to the tactile s nature of those openings themselves, other tactile indications are included formed in the guide, such as in Braille or simpler codes. An audiotape or the like is typically provided that informs the voter of which candidates or question responses correspond to which coded openings on the guide. The audio aspect brings with it the advantage, already 1 mentioned earlier, that sighted voters who are illiterate or wish a language that is not available in printed form can use the system to vote. Such an approach is believed attractive for unencrypted votes.
The tactile audio approach does not provide voters using it with the integrity and secrecy protections of the 4 encrypted vote/receipt systems mentioned earlier. For instance, voters are unable to check, after leaving the poling place, that: they were provided with correct information about what to mark, that their marks are accurately scanned, and that the scanned values are properly included in the final tally. As another example, readable ballots do not provide the 7 secrecy advantages of encrypted ballots, such as: for handling while in a polling place or for so-called provisional ballots or what may be referred to as "vote-from-any-precinct," which both require that the voter identity be linked to ballots during protracted handling/processing. o Accordingly, objects of the invention in this aspect include bringing advantages of encrypted ballot and/or receipt systems to audio tactile ballots at polling places and other settings, including audio assisted and assistant-marked balloting generally. 3 A further aspect relates to processing of encrypted votes. Known voting systems make extensive use of sophisticated types of cryptographic functions and protocols (such as, for instance, public key, secret-shared homomorphic systems), limiting the ease with which they can be widely understood by the public. Those previously 6 proposed by the present applicant are believed to have privacy substantially exponentially good in the number of rounds and detection of cheating substantially exponentially high in the number of votes improperly changed. (Underlying this, a choice for statistical integrity, compared to that based on cryptography, with privacy based on cryptography, is often s made to protect against the chance that an adversary wishing to change the outcome of the election might have access to unexpected algorithms or resources.) A system introduced here offers substantially perfect privacy and probability of detection of improper changes exponential in the number of rounds (in a similar underlying model). The amount of 3 computation and data storage is reduced, while maintaining strong integrity properties. Moreover, it optionally only uses a basic type of encryption, that is believed more familiar to and more readily understood by the public.
Encrypted vote systems are known in which voters mark paper ballots and retain receipts that allow them to check β online that their votes were recorded correctly. Privacy and secret ballot properties have been provided, although there is room for improvement in this regard. Some systems have a single entity that performs operational aspects and that obtains as a consequence special access to privacy of votes. In some systems and settings, the checking information posted can 9 reveal some information about the vote to other than the voter.
Various user interface approaches have been proposed, as exemplified by two types. In the one type, users mark next to a candidate and in the second type they mark in a position indicated by a symbol matching that next to the 2 candidate. The former presents candidates in substantially randomized order and the latter in whatever order is wished by those conducting the election, such as alphabetical order. As a consequence it is believed that neither is clearly preferably for all applications or even all contests within a ballot. Moreover, system for the two types of interface have addressed s different settings and with apparently different mechanisms. Simplicity of mechanism has advantages in election system applications.
Carbon paper and so-called carbonless paper are well known for making copies of marks made on forms, such as 8 those made by voters. One known problem with such techniques, however, is that the original may be apparently well marked, but the copy does not come through well. With demand printed ballots, physical structure related to so-called
"ballot style," such as holes or scratch-off may be problematic and can lead to general formats that are less than optimal 1 in terms of clarity, economy, and aesthetics. Moreover, demand printed ballots are ideally substantially indistinguishable from those printed otherwise. Physical structures have increased associated direct and handling costs.
The use of self-adhesive "stickers" by voters to indicate their choices through the selection of stickers placed on a 4 ballot template was proposed by Boram in US Patent 4,717,177. The resulting ballot exposes the votes to those who might see it in transport and handling, which in some settings is not a desirable feature. Moreover, such forms to not provide an encrypted vote function. Furthermore, the unused portion of stickers in known systems also reveals the vote 7 and does not serve as a receipt in an encrypted voting system.
It is often desired in voting systems to hide how a particular voter has voted, providing privacy and/or so-called secret ballot properties, as mentioned. A related technology is envelopes and/or material layers, such as covering sheets O adhered in place or the like. So-called "scratch-off layers typically formed from materials including latex on paper cardstock or the like are known and familiar to the general public particularly because of their use in lotteries and the like.
In some settings, it may be desired to provide integrity of the election that is verifiable including by voters who are in 3 possession of the ballot form, while maintaining ballot secrecy. In an example inventive aspect, accordingly ballot secrecy is maintained in some cases including even if the voter does not follow procedures and in some cases including side information and/or virtual transmission of ballots, using scratch-off and/or other removable layers. Desired would be 0 forms that allow the voter to discover codes that can be authenticated as valid when supplied over telephone or Internet, in part at least because the forms need not by physically transported back to, and then also process when received by, those running the election. Control of access to attendance voting is typically done through the known device of a physical poll book, which are being replaced in some jurisdictions by automated and even online systems. Verification by voters, however, is 3 cumbersome with manual poll books, since the information is often neither optimally complete nor well organized for the task at hand. As with voting machines, automated registration systems provide little transparency to voters.
In a further inventive aspect, voters who are to be allowed to vote in a polling place are displayed in the sequence e in which they are admitted, at least the most recent part of the display being visible to voters. Certain sensitive information, such as private addresses and/or signatures on file, is allowed to be viewed by voters present. In some example settings the poll book is on paper, in others it is automated, and in yet others the book for the particular polling 9 place is in paper but automated information is available for other polling locations within some political subdivision.
Known encrypted vote systems that can accommodate so-called "write-in" votes use automated equipment in the voting booth, and such equipment can be substantially more costly than manual systems. Receipts in known encrypted 2 vote schemes use information related to each independently processed contest or ballot question, their size is substantially proportional to the amount of such information. Also, in known cryptographic receipt systems, although arguably not substantial issues, compromise of cryptographic protection can link receipts to ballots and the sophistication of s cryptographic systems has been an impediment to their early adoption.
Objects of the present invention in one aspect, accordingly, include secure receipts whose size is substantially independent of the number of contests or questions and that accommodate write-in votes without in-booth automation. s Another object, in some embodiments, is an augmentation of manual encrypted vote systems to include write-in vote without introducing additional automation to be used by voters. A further object, at least in some embodiments, is less reliance on cryptographic techniques and in particular a receipt-to-ballot linking that cannot be learned by compromise of i such techniques.
The present invention aims, accordingly and among other things, to provide novel and improved voting and related 4 systems. Transparent integrity, ballot secrecy, usability, accessibility, and robustness in such systems are important goals generally. Objects of the invention also include addressing all the above mentioned as well as providing practical, robust, efficient, low-cost election systems. AU manner of apparatus and methods to achieve any and all of the forgoing are also 7 included among the objects of the present invention.
Other objects, features, and advantages of the present invention will be appreciated when the present description and appended claims are read in conjunction with the drawing figurers.
BRIEF DESCRIPTION OF THE DRAWING FIGURES
0 Figure 1 is a combination plan, schematic, and layout diagram of an exemplary embodiment of a punchscan ballot in accordance with the teachings of the present invention.
Figure 2 is a combination block, schematic, flow, diagram of an exemplary embodiment of a overall punchscan election 3 in accordance with the teachings of the present invention.
Figure 3 is a combination block, schematic, flow, diagram of an exemplary embodiment of a punchscan ballot production in accordance with the teachings of the present invention. Figure 4 is a block diagram and flowchart of an exemplary embodiment of a punchscan ballot demand printing in accordance with the teachings of the present invention. Figure 5 is a combination block, flowchart, schematic of an exemplary embodiment of a first disabilities friendly voting system in accordance with the teachings of the present invention.
Figure 6 is a combination block, flowchart, schematic of an exemplary embodiment of a second disabilities friendly voting system in accordance with the teachings of the present invention.
Figure 7 is a combination block, flowchart, schematic of an exemplary embodiment of a third disabilities friendly voting system in accordance with the teachings of the present invention. Figure 8 is a combination block, flowchart, schematic of an exemplary embodiment of a fourth disabilities friendly voting system in accordance with the teachings of the present invention.
Figure 9 is a combination block, flowchart, schematic of an exemplary embodiment of an untrusted-assistant disabilities friendly voting system in accordance with the teachings of the present invention.
Figure 10 is a combination block, flow, data, and cryptographic protocol diagram of an exemplary embodiment of a mixing system in accordance with the teachings of the present invention. Figure 11 is a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of a mixing system in accordance with the teachings of the present invention.
Figure 12 is a combination schematic and plan view of an exemplary embodiment of two-sheet combination ballot in accordance with the teachings of the present invention.
Figure 13 is a combination schematic and plan view of an exemplary embodiment of three-sheet combination ballot in accordance with the teachings of the present invention. Figure 14 is a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of a combination disability friendly voting system in accordance with the teachings of the present invention. Figure 15 is a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of an untrusted-assistant combination disability friendly voting system in accordance with the teachings of the present invention.
Figure 16 is a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of a two- party mixing system in accordance with the teachings of the present invention.
Figure 17 is a combination schematic and plan view of an exemplary embodiment of a carbonless ballot form in accordance with the teachings of the present invention. Figure 18 is a combination schematic and plan view of an exemplary embodiment of a sticker palette and associated ballot form in accordance with the teachings of the present invention.
Figure 19 is a combination schematic diagram and plan view of an exemplary embodiment of a ballot form including printing above scratch-off layers in accordance with the teachings of the present invention.
Figure 20 is a combination block, flow, functional, schematic diagram, of an exemplary embodiment of a paper-based polling-place sign-in and forms in accordance with the teachings of the present invention. Figure 21 is a combination block, functional, schematic diagram, plan, and pictorial view of an exemplary embodiment of a partly automated paper-based polling-place sign-in and forms in accordance with the teachings of the present invention. Figure 22 is a combination block, functional, schematic diagram, plan, and pictorial view of an exemplary embodiment of a manual paper-based polling-place sign-in and forms in accordance with the teachings of the present 3 invention.
Figure 23 is a combination schematic and plan view of an exemplary embodiment of an interfoil and counterfoil arrangement in accordance with the teachings of the present invention. s Figure 24 is a combination schematic and plan view of an exemplary embodiment of a counterfoil overlay arrangement in accordance with the teachings of the present invention.
Figure 25 is a combination schematic and plan view of an exemplary embodiment of a sticker interfoil arrangement in 9 accordance with the teachings of the present invention.
Figure 26 is a combination schematic and plan view of an exemplary embodiment of a split foil arrangement in accordance with the teachings of the present invention. 2 Figure 27 is a detailed flow and block diagram related to an exemplary embodiment of a ballot with write-in in accordance with the teachings of the present invention.
Figure 28 is a plan and schematic view of an exemplary embodiment of a ballot with write-in in accordance with the 5 teachings of the present invention.
Figure 29 is a detailed flow and block diagram related to an exemplary embodiment of a ballot with write-in in accordance with the teachings of the present invention. s Figure 30 is a detailed plan and schematic diagram of an exemplary punchscan ballot with write-in in accordance with the teachings of the present invention.
Figure 31 is a detailed plan and block diagram of an exemplary ballot with write-in in accordance with the teachings of i the present invention.
BRIEF SUMMARY OF THE INVENTION
This section introduces some of the inventive concepts, in a way that will readily be appreciated through making significant simplifications and omissions for clarity and should not be taken to limit their scope in any way; the next 4 section presents a more general view.
Disclosed are voting systems based on paper ballots that provide integrity of the election outcome through the 7 novel use of encrypted votes and other techniques.
In one aspect, forms are disclosed that allow encrypted votes to be me marked and audited by voters and tallied by those running the election subject to public audit. One example form type is comprised of two substantially overlaid 0 layers, with holes in the upper layer exposing indicia printed on the upper surface of the lower layer. Symbols are substantially randomly associated, per ballot, with candidates on the top layer and placed in substantially random hole positions on the bottom layer. Voters find the symbol next to the candidates of their choice on the lower layer and mark 3 both around and through that corresponding hole.
Another example form type is a carbonless form with cooperating surfaces facing each other. Substantially random positions of candidates are printed on the top layer. Voters fill ovals next to the candidate of their choice on the top layer s and the mark is transferred, with special identical so-called self-contained carbonless coatings, to the bottom of that layer and substantially equally to the top of the lower layer, which serves as a receipt. The top sheet is a conventionally-marked and humanly-readable cleartext ballot, and when it is scanned full duplex, the marks on the receipt layer are substantially 3 verified as matching.
Yet another example form type uses techniques somewhat related to known adhesive-label voting, but adapted to encrypted votes so that the choice of which sticker corresponds to which vote is hidden after it is voted, because the 6 association of sticker symbols to candidates is made by indicia printed where the label is adhered to the ballot when voted. The release-coated pallet from which stickers are chosen by the voters servers as a receipt because it is missing the symbols/stickers that encode the votes, but which missing symbol corresponds with which vote is hidden. Again, voters 9 are able to audit other unused positions/ballots to ensure the correspondence of the printing to committed/posted data. Still another example uses techniques somewhat related to known scratch-off voting, but adapted to encrypted votes. In particular, voters remove a region of latex that has the mapping between other regions and votes on it, in order to 2 reveal a first part of a code. Then the voter removes the latex from the region indicated by the destroyed indicia to obtain another part of the code. The physical form optionally is maintained by the voter, while the codes are transmitted by the voter to the election system. Commits to the codes are opened, revealing that they are authentic and locking in the 5 encrypted vote that is also receipted by the pattern of removed latex. Again, voters are able to audit other unused positions/ballots to ensure the correspondence of the printing to committed/posted data.
In other aspects, voters with various disabilities are provided facilities allowing them to readily vote with systems 8 such as those just described. In one example, a blind voter hears through headphones how to mark the particular ballot by utterance of candidate names associated with tactile positions. What is heard is committed to in advance, optionally in parts, and the voter is able to select some such commits to be opened for audit. Voters who can read but not mark can ! communicate what are in effect "encrypted marking instructions" to an assistant, and these are preferably also recorded.
Voters who can hear but not mark signal an assistant where to mark based on an audio selected from pre-committed audio that is subject to audit. Assistants in some examples mark actual ballot parts as a voter would, or where this would reveal 4 the vote to the assistant, through privacy shields or using generic forms.
In still other aspects, simplified cryptography for realizing these systems is also presented. Known encrypted vote systems us public key cryptography, typically to form so-called mix cascades. Such sophisticated cryptography has 7 proven to be a barrier to adoption of encrypted vote systems and other cryptography-based voting based on them. The present application discloses novel techniques that allow the complex cryptography to be replaced by basic encryption of data for which keys are held and potentially revealed during audit. o In yet other aspects, a related system for establishing, in a significantly voter- verifiable manner, the number of encrypted votes that should be included in the election, an integrated poll book, sign-in device, and affidavit function is disclosed. The handwritten signatures made by a substantial but limited number of immediately previous voters are 3 visible to the voter signing in. Signatures on record are revealed for side-by-side comparison, only once the voter signature has been completed. Linking signatures to traditional poll-book and/or affidavits is provided by numbers and/or stickers. β In still further aspects, write-in vote integrity (as well as other ballot and system integrity) is achieved using physical authentication of paper. Microstructure associated with special numbers on ballots is photographed and committed to. Voters, as today, both mark a write-in position and then write-in a candidate in a related space provided. By opening the commits including to unused forms and others similar to those used for vote tabulation itself described above, audit of write-in votes is provided for.
3
GENERAL DESCRIPTION
Some example systems disclosed have symmetry allowing the ballot to be divided in two after it is marked and the voter to keep either part as a receipt. Other example systems develop a cleartext readable ballot and encrypted vote 6 receipt as a result of a voter marking selected candidates with a single mark. Other examples produce an encrypted receipt and an encrypted vote, where the encrypted vote is preferably sent in for counting and the receipt retained by the voter.
Still other systems turn a ballot into an encrypted receipt that bears authentication codes that can be used to vote remotely. 9 The first two are particularly well suited to attendance voting, as well as mail in. The third is believed attractive primarily for mail-in voting as it does not require special tools to mark and produces an encrypted ballot. The fourth is well suited to remote voting where a physical ballot is not returned by the voter. 2 Extensions relate to some or all the example systems. The underlying cryptography can be achieved without using any primitive other than basic commitment, such as encryption with a key that is later revealed when/if the commit is to be opened. Voting by the blind and those who have difficulty making marks is achieved for the first two mentioned s systems, which are attractive for attendance voting. Write-in capability for attendance and remote voting systems is achieved in a way applicable to all the systems.
Check-in systems for attendance voting sessions are also disclosed with novel voter verifiable integrity and that s relate to the encrypted vote attendance systems described.
In one aspect, as will be appreciated, disclosed here is a voting system with audio presentation of voting options, at i least two different audio channels potentially played to a voter, where each voter is able to take for verification and without compromising privacy at least a copy of at least one of the channels and the choice of which channel the voter will take is substantially unpredictable to the system and the channel contents substantially previously committed to. 4 In another aspect, disclosed is a voting system with at least one potential confidential presentation to a voter, related to at least a commitment to at least one such potential confidential communication, and where the voter communicates signals to an assistant to indicate where the assistant is to make marks and at least one potentially 7 confidential presentation is auditable without compromising voter privacy.
In still another aspect, disclosed is an encrypted vote system based on cryptography comprising substantially only commitments to values, where it is verifiable to the public based on accepted random challenges that encrypted votes o result in the cleartext tally with substantial probability but substantially not which ballot corresponds to what contribution to the cleartext tally.
In yet another aspect, disclosed is a voting system in which receipts substantially authenticated by at least some 3 parties conducting the election include substantially a code that allows an online version of the form submitted by the voter to be viewed in the correct way but where different codes would correspond to different choices being viewed.
In a further aspect, disclosed is voting system in which at least two parties each have substantially separate secrets 6 needed to determine the correspondence between ballot forms and results and said two parties are involved in printing. i n
In a still further aspect, disclosed is a paper ballot system in which provision is made for a voter to remove a substantially self-adhesive element from one part of at least a related form and apply at least a part of the element to at least a part of at least a related form and where: (a) the vote is hidden in the resulting combination from view by the public having access to completed unvoted forms; or (b) voters being supplied substantially more than one part per choice and opening substantially previously committed values to substantiate that at least some of the parts supplied have corresponding indicia; (c) commits are made to parts of the information on the form, some of which are selected for opening during audit; or (d) establishing based on audit that the tally substantially reflects the votes cast.
In a yet further aspect, disclosed is a voting system with choice determined by indicia destroyed to reveal coded votes including: establishing based on audit that the tally substantially reflects the votes cast; or voters being supplied substantially more than one part per choice and opening substantially previously committed values to substantiate that at least some of the parts supplied have corresponding indicia; or establishing based on audit that the tally substantially reflects the votes cast.
In a yet still further aspect disclosed is a polling-place sign-in system that exposes a substantially fixed number of chronologically preceding sign-ins to the next voter signing in. In a still yet further aspect disclosed is committed form substantially microstructure region signatures of forms and later selectively opening at least some of said commitments.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
Detailed descriptions are presented here sufficient to allow those of skill in the art to use the exemplary preferred embodiments of the inventive concepts.
The punchscan system described with reference to Fig 1 and 2, will be described first more generally. It uses two or more layers. The material is opaque or transparent or translucent. In case of three layers, nesting holes, for instance, allow all three to be marked and the middle one can be used for recording the positions and the voter can keep one of the two outer layers. In some examples, both those not kept by the voter are separately sent in or collected and posted as encrypted votes, the redundancy providing protection against loss and also revealing cheating. Marking means is for instance by application of ink or activation of coatings or mechanical deformation. Ink can be, for instance, by dauber or stamp or pen or pencil.
Holes are formed such as by drilling, punching, die-cutting, laser cutting. They can be pre-formed in a way customized to a particular ballot layout or in a more generic way that may have some unused holes but that preferably also allows demand printing of ballots. Round holes per symbol or slots for multiple symbols are examples. More generally, whatever shape combination, called here a "provision," allows one or more symbols to be seen and records a mark on the upper layer as well as the lower layer indicating the position of the mark. As an example, an edge of one sheet exposes a portion of the sheet below, with marking optionally straddling the edge. The shape of the hole optionally, in some embodiments, encodes all or part of the symbol. Perforation or adhesive or mechanical joining holds parts but is separable. A tamper-evident aspect to the separation can protect against combining improperly and also can keep the identifying information hidden at least until after the voter fills the forms, such as that described with reference to Figs 23 through 31. Tamper proof tape is known and optionally is applied to adhere parts together.
3 Perforation along fold line along leading edge allows processing through paper handling equipment, such as demand printers. This can print the top layer and through the holes to the lower layer at the same time, such as with a conformable rubber belt of a laser printer or inkjet printing or various kinds of thermal printing. A leading fold line with or without e whole or partial or crossing perforation patterns is also anticipated.
The scanner at a polling place or where absentee ballots are received optionally reads the identifying information on one layer and determines the other layer and provides authentication of both that other layer and the mark position 9 information read. At polling places, voters are optionally allowed to see the scanned image and preferably then also indications on it of how the marks are interpreted, such as whether recognized, overvotes, or stray.
A "double sided" version, in one example, allows voting by flipping the still attached layers over. Holes in one layer 2 preferably do not line up with those on the other layer, so there are no holes through the laminated layer arrangement.
The identifying numbers on the two layers are anticipated to be marked or encoded in various forms, such as human readable or based on steganography. In some examples, all or parts of a number are to be the same and they are preferably s punched through so that this property is readily apparent to voters.
Printing is preferably done by three separate entities, one for each layer and a third that places the number on both layers. In other examples, two separate printers are used and the numbering is that supplied by each. It is believed that 8 with only two, a security audit of actual printed forms is one way to detect that the wrong layers are paired. With three printers, the third printer in some examples applies a common serial number that the voter can the readily recognize is the same on both layers and that a security audit of the paper to ensure layers are combined properly is obviated. Other 1 example ways to reduce the need for such audit include: letting the voter choose which serial number to take independently of which layer, such as by perforated tabs that can be left attached to either layer; letting the voter choose some digits of the serial numbers from one layer to mark on the other layer; providing for multiple hole locations and/or 4 indicia positions so that mismatched layers cause improper marking; and so forth.
In some examples a single entity prints the forms completely. In other cases, different machines and/or entities do parts of the printing. In some cases, a machine can be assumed to not record information that it has access to, such as 7 because it is unable to read that information or its structure is such that it does not retain that information even if it processes it. In the example of demand printing, parts of the form may already be printed and the device unable to read those. Some devices may read limited information from other devices and then print, such as a common serial number o applying device. Two or more entities can each form their own "onions" to allow the decryption, mixing, audit and posting of the final result. Each gets what it needs from communication with the other. Layers of a form are optionally divided into parts that are processed by separate entities. 3
Turning now to Figure 1, a combination plan, schematic, and layout diagram of an exemplary embodiment of a punchscan ballot in accordance with the teachings of the present invention will now be described in detail sufficient for 6 those of skill in the relevant art. Figure IA and IB are views before voting, laminated and separated respectively; figures 1C and ID are similarly views after voting, laminated and separated respectively. A single contest between three candidates is shown for clarity and concreteness. The voted ballot shows a vote for the first candidate named, as an 9 example and uses a dauber style of filled circle marking. Specifically referring to Fig IA (with the terminology shown for clarity in the other parts of Fig 1), depicted is 3 what the voter would see when the ballot is in the laminated and still un-voted state. It will be appreciated that each candidate name has an uppercase letter next to it, an example of a symbol. Similarly, through the holes, the same three uppercase letters are seen, in the example in a different order. Of course since the orderings are preferably apparently e random, it is anticipated that there is probability that they would be the same on some ballots. It will be appreciated that the serial number is visible to the voter both as printed on the upper layer and as visible on the lower layer through the cutout.
9
Referring to Fig IB, the two layers of the example are shown side-by-side. What is not shown for clarity and readability of the figures is that the lower layer is preferably formed from the same sheet and its upper face seen through 2 the holes is actually the back face of the sheet. A preferred fold line is across the top, with a co-extensive perforation score line. For demand printing, or other feeding, the ballots feed through with the folded edge leading and so are not as likely to get separated into two sheets as if they were fed through with two separate edges leading (especially those s opposite the fold line).
Referring now to Fig 1C, the overall mark by the voter is shown as an approximate circular disc of transparent ink. 8 Such a mark can be made using a bingo dauber or a rubber stamp or the like. Also, a similar mark can be made using ordinary writing instruments, such as by putting a cross through the whole structure. In some embodiments, the voter may be free to only mark one or the other form, the one that i is to be turned in. This is believed to have some privacy advantages.
Referring to Fig ID, the voted layers are shown separately. The mark circle that was inked through the hole is on 4 the lower layer and the marked ring with the hold punched out from it on the upper layer. The other indicia are as before. It will be appreciated that in this example the vote has been for Jojo Nobo. The reason is that Jojo has the symbol "C" next to his name and that symbol appears on the bottom layer in the middle hole, and the middle hole is the one that was 7 marked with the circle. It is believed that looking at either layer separately does not reveal who was voted for; it is in the combination that the vote is readily seen. However, by the marking of the middle circle, either layer records the particular vote, it is believed, as a consequence of the commits to the overall structure. Similarly, the first or left circle would o constitute a vote for Ms. Fum and the right or last circle for Mr. Mahoney.
Turning now to Figure 2, a combination block, schematic, flow, diagram of an exemplary embodiment of a overall 3 punchscan election in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Included are two different kinds of voting, either or both of which could be used in a particular election or related use scenario. Three stages precede the physical creation of the ballots and then there are the 6 two types of voting and the final processing in two stages.
More particularly, the process begins in step 10201 and then box 10240 indicates that for each layer the arrangements of the symbols and so-called onions, being the example used for clarity in the descriptions without 9 limitation, known in the art for mix-based elections are constructed. Then in box 10241 the values of the layers, being the arrangements of symbols and the serial number or other identifying information, are preferably committed to, such as in the cryptographic sense. Next shown as 10242 is a so-called "proof process step that preferably is able to convince a various parties that the commits are at least substantially correct with at least substantially high probability. One example shown for clarity, but without limitation, is the opening of a random selection of the layers so that their structure can be checked. B Now box 10260 indicates that the ballot forms are physically created such as by printing and punching and perforating and folding. These use the committed to data that was not revealed, if any was revealed, in step 10242. Some further examples of this step are included in Figures 3 and 4. 9 In a first kind of voting the voter allows the system to make a copy, such as by scanner or digital camera, of the layer that the voter will keep; the other layer is preferably verifiably destroyed. This is shown in box 10262. Then box
10264 shows that the ballot obtained from the voter can be posted and/or signed or otherwise provided with a way to 2 confirm its authenticity.
In a second kind of voting the voter provides the system with one actual layer and the voter retains the other actual layer. Examples are mail-in ballots and polling places that are not equipped to copy and/or destroy layers. A novel s inventive feature of the present invention is that the layer the voter keeps can be re-constructed from the layer retained by the system. This then allows the systems to post and/or other wise provide authentication of the layer taken. It will be understood that this is preferably done in a way that strips away unnecessary detail, such as the particular imperfections in s marks or alignment or uncounted marks and the like. The main thing to be gleaned from the layer the system has is which holes are marked and the identity of the layer. In one example, the system then looks up the corresponding other layer by the serial number, such as when they are identical or maps them if they are not, and then opens the commit to the layer 1 held by the voter and uses the onion of that layer. The rendering provided in the authentication includes the locations of the holes marked.
Box 10280 presents the step of forming the tally from the encrypted votes, as is known in some example systems 4 and could readily be adapted here for use with a single layer and its onion. The audit and verification 10290 then provides
"proof preferably to the public that the operations 10280 were performed correctly, and sometimes further checks on committed to or posted data. Known examples are suitable, where certain links in a mixing structure are opened 7 responsive to random challenges created by a publicly verifiable process. The election then ends in step 10202.
Turning now to Figure 3, a combination block, schematic, flow, diagram of an exemplary embodiment of a o punchscan ballot production in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. When the process begins, 10301, the paper or other media is marked 10320 by a first device or entity. In some examples web fed processing is preferably used until a late stage; in other examples, 3 processing is largely sheet fed. Then a second example entity marks the ballots as they flow by, as indicated in box 10330. In one example, the ballots are given process serial numbers to ensure synchronization from stage to stage, but these are then removed later so that an entity knowing only one layer, for instance, does not learn the identity of that layer o from the other layer if shown or posted. In some examples the printing devices can be assumed not to retain data that they should not; in other examples, they are assumed to retain the data and more care is needed in dealing with them, although the assumption itself is easier to ensure. Box 10340 indicates a third entity that marks numbers that will be retained on the layers. In some examples the same number is marked on both layers, such as preferably by perforation through both, although this may be done with 3 advantage after the folding 10370 for better alignment of layers.
Once the forms are marked, possibly apart from the numbers or other last-minute data, box 10350 indicates that the cutouts and holes are preferably formed, while still a web and after printing. At this time, also whatever perforation e 10360 is made. Then box 10370 indicates that the forms are cut into sheets and/or trimmed of serial numbers and then folded or otherwise laminated.
s Referring now to Figure 4, a block diagram and flowchart of an exemplary embodiment of a punchscan ballot demand printing in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Box 10301 is the start of the demand printing. The process typically includes a request 2 for a ballot and also the form that has been pre-punched as input as indicated in box 10420.
The ballot is printed as indicated in box 1030, including optionally through the pre-punched holes mentioned. Then box 10440 indicates that the resulting ballot is ready for use and the process ends 10402. 5
Turning now to Figure 5, a combination block, flowchart, schematic of an exemplary embodiment of a first disabilities-friendly voting system in accordance with the teachings of the present invention will now be described in s detail sufficient for those of skill in the relevant art. The voter in the booth hears the audio through transducer means shown as headphones 20101. The voter preferably is provided with ballot form 20110 to mark while hearing the audio. Each of the audio and paper are shown in two parts: the audio is divided between track or channel "A" and track or 1 channel "B," shown for clarity as being provided by separate transducers 20101a and 20101b, respectively; the paper is initially in two sheets, the upper labeled "A" and the lower labeled "B," 20110a and 20110b, respectively.
The "scripts" for each audio track, that is the text corresponding to what the voice on the track reads, are shown in 4 schematic form: the script for channel "A" is shown as dotted box 20130a; that for track "B" similarly as 20130b. The dotted arrows between the two scripts are intended to suggest the lines that are simultaneously on both tracks and the temporal interleaving and pacing of the other lines. For instance, arrow 20140 indicates by arrowheads at both ends that 7 the line of each script 20130a and 20130b are the same and that they are to be read at the same time on both channels, so that they are recorded on both tracks. Thus, the voter hears through both ears a voice say "Serial number three four three four." Then, line 20141 indicates that again simultaneously a second line, in this example a contest identifier, similarly is 0 read on both channels.
Next begins the sequence of candidate names and positions, mentioned earlier. Arrow 20142 indicates that relatively quickly after candidate name "Joe Man" is read on channel "A" from script 20130a, the location of the 3 corresponding hole is audibly indicated, such as by script 20130b calling for a voice to read "position three." After this, a relative pause is indicted by the wiggle in arrow 20143, before the next candidate/position pair is read, as this phrasing is believed to be a convenience for voters and to provide a kind of punctuation. As will be appreciated, if the voter wishes to 6 vote for Joe, then he or she is to find the first position on the first contest, such as by scanning his or her finger down the ballot until that hole is felt and then mark that hole with the dauber (which is provided to the voter but not shown for clarity). Again, the mark is preferably in the same position on both sheets. (Also not mentioned further, but optionally 9 present, is a tactile guide to facilitate voters finding the correct holes.) The other candidates and their positions are read in a similar manner: Shortly after "Mary Woman" is read on channel "A," channel "B" voices "Position four," according to arrow 20144, after which a pause is indicated by arrow
3 20145. Then, just after "Daffy Duck" is read on channel "A," channel "B" voices "Position one," according to arrow 20146, after which a pause is indicated by the wiggle in arrow 20147. Again, then, just after "Sean Sealion" is read on channel "A," channel "B" voices "Position two," according to arrow 20148.
B The voter, not shown for clarity, may wish to repeat parts of the audio, skip forward, fast forward, rewind, or otherwise navigate/traverse with or without audio on. Input means 20156, shown as a touchtone keypad, a familiar input mechanism, allows such navigation, much as with known so-called "Interactive Voice Response" systems. As a concrete 9 example: the left column (one, four, seven, star) correspond to move backwards through the tape slowly with playback, move backwards rapidly with playback, skip back to begin of candidate (or previous candidate on repeat/hold), and skip back to start of contest (or previous contest on repeat/hold), respectively; and similarly, the left column corresponds to
12 forward motion of the same type as the opposite on its row. Overall speed of voice and even choice of speaker are preferably options for the middle row, such as: "five" pause, "eight" speed up a notch, "zero" slow down a notch, and "two" change speaker and/or mode. In some modes pairs of candidate and position are only read when prompted by voter
15 using four and six. Optionally, where a voter is to be able to audibly mark a position, as mentioned, a special action is preferably used to avoid inadvertent marking. One example is a so-called "cord," more than one button is pushed at a time. For instance, pushing down all three buttons, four-five-six, is an example chord for marking. is The audio is generated by computer 20161, such as a computer at a polling place, using the well-known techniques for playing sampled voices and/or synthesizing voices. Computer 20161 receives navigation commands from keypad 20156, as just mentioned, and these control its logic, as is well known in the IVR art. In terms of hardware, for instance,
21 telephone cards are manufactured by a number of companies that attach to standard computer back plane buses and interface to the switched telephone network. These, or sound cards, generally have the well-known capability to detect Touch Tone or DTMF signals from a suitably-powered standard telephone keypad. Computer 20161 knows the ballot
24 serial number before it reads it. One example way to accomplish this is for the number to be from a pre-arranged sequence. Another example is for the number to be supplied by input means, such as a barcode reader or keypad 20156, preferably after an operator "PIN" code sequence is entered.
27 While the voter is navigating, operating are two tape recorders, 20155a and 20155b. They preferably record a log of what the voter hears, in the sequence heard, and are not affected by the navigation, but rather record a chronological log of what the voter hears. In particular, recorder 20155a is connected by cable 20162a to sound source 20161, to be
30 described further, and to transducer 20101a, already described; similarly, recorder 20155b is connected by cable 20162b to sound source 20161 and to transducer 20101b. Shown contained within tape recorder 20155a, during the time of recording, is standard compact cassette tape 20150a; similarly, shown contained during recording within tape recorder
33 20155b is standard compact cassette tape 20150b. (Of course analog tape recording is rapidly being replaced by digital methods, and cassette tapes are shown here for concreteness and illustrative purposes.)
After the voter has finished voting, he or she is preferably provided with his or her choice of either both "A" parts,
36 or, as the other option, both "B" parts. Thus, there are two scenarios: one shown in dotted box 20121 and the other in box 20122. The box for scenario is shown including the respective tape and sheet: box 20121 contains tape 20150c and sheet 20110c, which are the same as tape 20150a and sheet 20110a, but shown again as part of one of the two alternative after-
39 voting scenarios; box 20122 contains tape 2015Od and sheet 2011Od, which are the same as tape 20150b and sheet 20110b. The hollow arrows show for clarity, as will be appreciated, the flow of these objects from the voting configuration to one of the two scenarios 20121 or 20122. (The arrow taking the sheet to scenario 20122 is shown as
3 starting under ballot 20110 to suggest that the bottom sheet is taken, whereas that taking the sheet to scenario 20121 is shown starting above the ballot indicating the upper sheet.) Within each scenario shown also is the rendered image of the paper receipt that is preferably available online, 20175 for scenario 20121 and 20176 for scenario 20122. Also shown are 6 instances of potentially the same voter audio connection or telephone, 20170a and 20170b, whereby the voter is preferably able to compare the audio sequence to that on the tape. For instance, the voter is preferably able to navigate over the network as during voting, but in any case only hearing the scenario channel. The providing over a 9 communication network of this content, whether video and/or audio, is shown as being done by server 20162.
Audio optionally contains audio "markers" that mark certain ballot positions, whether associated with the A channel information or the B channel information. For instance, just after the candidate name and position are read (one 2 on each channel) a distinctive audio signal is inserted during the pause. In some embodiments optionally voters provide input to indicate where the audio markers are to be placed to correspond with what they have physically marked the paper. In other optional example embodiments, the system introduces audio markers based on what it has learned from 5 scanning physical ballots. As mentioned earlier, if both sources of markers are used by a system and it detects an inconsistency, that is the voter apparently placed audio markers on positions other than those that the voter has physically marked, then the system preferably notifies the voter of this, such as by an audio message. Preferably in such cases, 8 voters may be allowed to "spoil" their ballot and cast a new one. Audio markers present on online audio are preferably regarded as checked for consistency with other online forms of ballots by automated auditors, such auditing more fully described generally later. Of course voters may be free to make their own record of what they have marked, and then they 1 can check against audio markers inserted by the system from reading the physical ballots. It will be appreciated that in one option instead of inking the ballots all voters in the system use, for instance oversized paper punches, or otherwise at least partly mechanical marking means. It is believed that the set of persons able to recognize the positions of the marks 4 on the sheets is substantially increased and that audio markers would allow adequate audio checking of such ballots.
Now consider the checking of the physical sheet, physical tape, online visual data, and online audio data available to a voter under one of the scenarios (without audio markers, as has already been described). Each of the four can, it is - believed, be checked against any one or more of the others of the four.
There are believed to be six pairwise comparisons examples for each scenario instance. The pairwise checking of electronic renderings of visual and audio are believed preferably open to anyone over the network and can thus be o checked rather fully by devices impersonating voters. Such automated checking by whatever parties is believed in practice possible to make substantially indistinguishable from that of humans. This is preferably used to compare this rendered online information to that made available for audit of the rest of the system, such as the tally process. (Included 3 are audio markers, if present, as mentioned earlier.)
An artifact is optionally checked against its corresponding online rendered version. Checking a paper ballot against the online graphic version, presumably entails entering the serial number, and optionally is by visual inspection of 6 what should be two identical sets of indicia (except that optional "helper" numbering information, as will be described, is on the online version, although it is preferably set off graphically, by color, font, or the like, so that it can readily be ignored in the comparison). Checking the tape against the online system, optionally, entails entering the ballot number γ-j and then navigating through the online system as the tape plays and checking that the candidate or locations match, in scenario "A" or "B," respectively.
3 Online graphics are optionally compared to the corresponding tape. First consider comparing the online graphics
20175 with tape 20150c. The order in which candidate names are read by the tape should be according to the helper numbers added to the online rendering 20175 beyond what is shown on sheet 20110c (these helper numbers can be β checked for consistency from 20175 alone using the fixed lexicographic ordering convention as mentioned). Now consider comparing the online graphics 20176 with tape 2015Od. The order in which positions are read on the tape should be according to the upper row of numbers (the lower numbers simply provide a convenient reminder of the number of the 9 columns). Thus, for instance, the first position that should correspond to the first candidate name read (but not read on 2015Od, only 20150c) is three, which is found by locating the one in the top row (above "a") and then looking up its column number in the bottom row, three. (As with 20175 and 20110c, these numbers on 20176 are ignored when 2 comparing it with 2011Od, since they are not on 2011Od and can be checked for consistency on 20176 alone using the fixed lexicographic ordering mentioned.)
Online audio is optionally compared to the corresponding paper. The effect is the same as with the online graphics, s though the helper numbers are not present. When sheet 20110c is consulted during interaction with audio navigation 20170a, the order in which the names are read per contest is checked to be in the fixed lexicographic order of the symbols present. When sheet 2011Od is consulted during interaction with audio navigation 20170b, the position number sequence s heard should be that of the symbols traversed in the lexicographic order.
Not shown for clarity in the figure are examples of actual vote marks in the scenarios. A voter could mark any hole or back sheet symbol. Which position is marked is preferably shown in the online sheet, 20175 or 20176, to allow the 1 voter to check that it was recorded correctly. Similarly, the audio navigation 20170 preferably indicates which positions were marked (as mentioned earlier), such as for instance to facilitate the case when the paper is punched or a sited person is checking using the public switched telephone network. 4 Also shown, ignoring the scenario boxes 20121 and 20122, is the possibility for a voter to practice using the audio navigation system over the phone. Of course, software could be available that would allow voters to practice at home, even while offline, but when server 20165 offers this service, such as a toll free service for a few weeks before the close 7 of polls, voters can familiarize themselves with it and practice, thereby saving time at the polling place and increasing their confidence. Also, extra comfort would encourage and facilitate checking the tape online.
o Turning now to Figure 6, a combination block, flowchart, schematic of an exemplary embodiment of a second disabilities friendly voting system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Much of the setup is, for clarity, shown as it was for Figure 5. Those 3 parts that differ substantially are for clarity explained in detail, while those parts that are the same as corresponding parts of Figure 5 have already been detailed with respect to Figure 5 and are not further described for clarity.
One difference, as will be appreciated, is that both channels are played to each ear, as shown in the labeling of 6 transducers in headphones 20101. Thus, a single mono audio is played to both ears; since the information is read at preferably substantially un-overlapping times, the effect is believed to be very natural. If there is only one speaker, for example, the fact that there are two tracks can be hidden from the user at this point. Another difference is that a single recording is used as the source and the voter can play this recording using standard players. For clarity and simplicity but without loss of generality, the recording will be referred to as disc 20153, 3 such as a CD or DVD. The two tracks are both stored on the disc, but each is encrypted under separate keys. The disc
20153 is provided to the voter, under either scenario, preferably substantially unaltered from when it was originally burned before the election. A media with write once capability, such as laser discs, is believed and advantage in the e present arrangement. (Audio marker positions or keys are optionally appended, however, as mentioned later.)
In some example embodiments, the disc uses an audio encoding allowing a standard audio disc player to be used.
This is believed to have advantages, including cost savings and verification advantages when voters and/or observers are 9 allowed to supply their own. Since audio recording devices have substantially higher fidelu^andwidth than is typically used for speech, and since modern codecs can provide substantial compression, the two audio tracks are believed readily able to store encrypted digital versions of the voice tracks with adequate playback speeds. 12 Referring to box 20180, the conversion from audio to decrypted speech is shown, as would be readily understood by those skilled in the speech encryption art. For clarity, a single speech stream, including three kinds of segments is described: (a) unencrypted segments that are part of both logical channels, (b) those segments encrypted with a key for 15 channels A, and (c) segments encrypted with the key for channel B. (Overlap in the speech streams is not considered, but could be incorporated by someone of ordinary skill in the speech art, such as by using separate tracks). First "modem"
20181 converts the audio stream to a digital one. Then the result is decrypted by decryption device 20182: unencrypted is segments of the stream are passed through, those for channel A decrypted with the key for that channel, and those for B with its key. The resulting cleartext stream is converted to speech stream by "codec" 20183. The resulting digital speech is then converted to analog audio by a-to-d converter 20185. A mono headphone driver 20186 is included for clarity. (For 2i optional compatibility with other embodiments, separate time division multiplexing of the audio out onto the A and B channels is performed by two single pole single throw switches 20184, onto lines 20162a and 20162b, with drivers for these lines not shown for clarity). 24 The generation of discs 20153 is in some embodiments performed before the day of the election, as would be readily understood by those of skill in the art. Each disc is associated with a paper ballot of a particular serial number.
The keys needed to read the disc are then distributed securely to the units 20180 or preferably the decryption engines 27 20182 within them, using known key management techniques. After the voter votes, the disc can be provided to them.
The key, E or F, depending on whether scenario A or B applies, respectively, is provided to the voter. One way to issue such a key is by writing it onto the audio, though this has the disadvantage of requiring a write-capable disc drive. Other so example ways include providing the voter with another piece of paper or sticker bearing the appropriate key. Yet another option is to publish the key along with the content of the disc and/or signature on the disc content. (Copies of the digital signatures of the data on the disc, including some known error correction coding, is preferably included on each disc.) A 33 voter's personal computer could optionally check that the signature on the disc matches the data on it and that the signature is posted online. Speech recognition software, in some embodiments, optionally even checks the disc against the online ballot information. 36 One exemplary use of this embodiment is for an "un-automated" polling place, where pre-made discs, matching ballots, a standard disc player and special headphones with the decryption chips built in, would allow the blind to vote. It is believed that if the circuitry 20180 is miniaturized and visible, various inspectors can readily ascertain that it is limited 39 in its capability to store and permute the audio, such as would be required for various cheating scenarios. Turning now to Figure 7, a combination block, flowchart, schematic of an exemplary embodiment of a third
3 disabilities friendly voting system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Again, those parts that differ substantially are for clarify explained in detail, while those parts that are the same as corresponding parts of Figure 5 have already been detailed with respect to β Figure 5 and are not further described for clarity.
Container 20191 allows the voter or observer to hide which channel, A or B, is being recorded by a recorder supplied by a voter or observer during the voting. In the example, circuitry in device 20190 that is believed would have to
9 be compromised to cheat voters is simple analog electronic components that can be arranged in transparent and miniaturized fashion that it is believed would allow determination by physical inspection that no extraordinary functionality is included. Buffer devices protect which channel the recorder is attached to from being measured from the 2 signal source. The channels are optionally mixed, while avoiding crosstalk, to a mono signal for the headphones. While keypad 20156 and computer 20161 are shown, as in Figure 5, the separate channel inputs are optionally provided by the embodiment of Figure 6, using the ports 20162 as signal source. Recording media 20152, such as for instance a compact s flash memory card, is shown communicating with recorder 20151.
In particular, container 20191, such as a locking metal box, is shown containing a single-throw double-pole switch 20195 whose structure is readily ascertainable by inspection. A connector 20196, such as so-called 3.5mm plug, connects 8 to the mating connector, such as jack 20151a, in the recorder 20151. In some embodiments, container 20191 only houses switch 20195 and connector 20196 is external, such as at the end of a cable. It will be appreciated that a consideration is emanations from a cable and/or recorder that might reveal which channel is connected. Another example embodiment of i the switching and plugging functions will be described later with reference to Fig 8.
One function of device 20190 protects the configuration of box 20191 from being measured remotely. It is believed that, for instance, simple power measurements or even time domain techniques could be used by a sound source 4 to "look inside" box 20191 and determine which channel is being recorded. Accordingly, buffers 20192a and 20192b are provided to prevent this. Suitable structures would readily be conceived by those of skill in the electronics art. For instance, low pass filters are believed helpful in preventing time domain measurements and zero-gain amplifiers for 7 preventing simpler measurements. Other techniques, known in the art, include isolation transformers and optical isolators. A different consideration is that the level of noise on a single channel output should be relatively high compared to the crosstalk level. 0 A second function of box 20190 is to provide the mono drive 20163 for headphones 20101. Since it is believed that summing amplifiers might increase the amount of crosstalk on the two lines, buffers 20193a-b (which might be simple resistors in some examples) are shown preceding the input to summing amplifier 20194 that also servers to drive 3 headphones 20163, such buffers, amplifiers and drivers being well known in the audio electronics art.
After the voter has voted, at least, it should be readily ascertainable whether the voter has recorded only a single channel. One example embodiment is a mechanical lock whose key cannot be removed until closed, where the voter is to 6 surrender the key before the sound source is activated. Another example is automatic means to detect that the container is closed and prevent a valid vote from resulting if the container is opened before the poll worker or other authorized inspector is present. Yet another example is a switch that can only be changed between positions by a key that is 9 surrendered during the entire voting interval or must be inserted into another device during that interval. The voter or observer is able to take the same player, 20151 away from the polling place and use it to listen to media 20152, which is shown as 20152a for scenario A and 20152b, when it is storing the audio of channel B.
3
Turning now to Figure 8, a combination block, flowchart, schematic of an exemplary embodiment of a fourth disabilities friendly voting system in accordance with the teachings of the present invention will now be described in
6 detail sufficient for those of skill in the relevant art. Those parts that differ substantially from Fig 7 are explained in detail, while those parts that are the same as corresponding parts of Fig 7 have already been detailed with respect to Fig 7 and are not further described for clarity.
9 This embodiment allows sited voters to vote without paper but with encrypted ballots, using an adaptation of the recorder techniques already described with respect to Fig 7. A rule 20133 is made know in advance that associates certain pairs with positions within a contest. In the example, three pairs comprising the top row, are associated with the zero'th 2 position; they are readily recognized in the example for convenience as having modulo three sum equal zero. Similarly, the middle row of rule 20133 comprises pairs each summing to one mod two; and the bottom row pairs sum to two when the remainder is taken after dividing by three. It will be appreciated that each value zero, one or two appears exactly once 5 in each first component of each column and similarly in each second component. Moreover, each digit appears as the first component in a different row in each column and also in a different row in the second component of each column. The column is committed to for the particular combination of serial number and question. 8 For a particular ballot serial number and contest, the first digit determines the row, which determines the candidate in the fixed ordering given by the rule, assumed here alphabetical by candidate name and not shown in rule 20133 for clarity. Similarly, the second digit also determines a candidate. Each digit alone, however, is believed not to reveal the i candidate to those not knowing which of the columns is being used for the particular contest, as each component appears in a row per column, as already mentioned.
In the example instance shown, the touch screen 20111 shows the voter the ballot serial number and contest 4 identifier, along with a row per candidate. The candidate names appear in alphabetical order as mentioned and for convenience. Adjacent to each candidate name is the ordinal number of the row for convenience and as maybe customary. At the beginning of each row is the pair from the rule column being used, the first column in the example 7 instance shown.
When the vote touches the screen, as shown by the hand, to select the particular candidate he or she wishes to vote for, touch screen 20111 transfers this information to computer 20161 over the line shown. At this point, channel "C" 0 reads out the first digit of the pair, "zero," and channel "D" reads out the second, "two." Either one of these, as mentioned, determines the candidate "Mary" for this particular ballot and contest, as they each identify the last row of the column committed to, as mentioned. The sounds are combined by mixer 20194 (which takes and additional input as will 3 be described), and so the both "C" and "D" are heard as mono on each headphone speaker. The voter optionally, at this point, is provided with the opportunity by the system to check that what he or she hears is the pair shown next to the candidate name touched. Also the voter can check that the sum of the pair corresponds to the correct position on the row, 6 in this case by adding the digits and checking that the result is the row number (in zero-based indexing). The voter is also able to check the data displayed for the other rows similarly, though the one voted for is of the most interest.
Later, the voter chooses between scenario "C" 20123 or "D" 20124 and leaves the polling place with the 9 corresponding recording 20152c or recording 20152d, respectively. When playing the recording, the corresponding script is heard and the other one not, as in the previous embodiments, and as will be described more in detail. The voter then is provided the option to check the consistency of the recording with the online data provided, either audibly or visually. 3 The visual image is shown in case of scenario 20123 as the contest identifier and first component zero; in scenario 20124 it is two. Similar data would be available through the phone, voice, or IVR like system as already described, which is in effect run against the same database of encrypted votes cast. B The commitment to the columns for each ballot serial number and the decryption and mixing of the votes for publication and audit is substantially as for the previously disclosed encrypted votes systems, as would be readily appreciated by those of skill in the cryptographic protocol art. 9 Candidate names and the like are, optionally, read through the headphones to voters as well. This type of feedback is believed useful to at least some voters and serves as a part of the user interface to confirm the choice made to the voter.
This cleartext vote, however, is not to be allowed to be input to recorder 20151. Such cleartext is, accordingly, output by 12 computer 20161 on a separate channel 20162c, which is then summed by mixer 20194a along with the other two channels
20162a-b. Buffer 20193c is inserted before the mixer optionally to reduce crosstalk.
Also shown explicitly is the option for two plugs 20196a-b, each connected to a firewall 20192a-b, respectively. is Plugs 20196a-b are in container 20191, where the voter or observer chooses which one to connect to recorder 20151. One advantage of such a two-plug arrangement is believed to be that if the cables are sufficiently long and substantially unstructured in their arrangement, it may be difficult for anyone getting a glance of how the voter connects recorder 1 s 20151 to learn which channel it is on. Also, the voter is believed not to suffer from being forced to make a random choice of which channel is recorded, and is thereby protected against frauds that would require the voter to connect to a particular channel. 2i As will be appreciated, a variation is where the voter makes a choice between two alternative "challenges" in addition to the candidate, such as by "touching" the first or last half of the candidate name. In such a system, a different kind of rule is preferred and it is believed that only one channel of script is preferably read. The contests are labeled by 24 two columns of numbers: each column in numerical order but in a modular system. The commitment is to the list items from the top row. In the case of "challenge 1 " the top row for column one is read followed by the number in the second column labeling the candidate chosen; for "challenge 2," the first number read is the top item from the second column and ?.7 then the second items is from the first column and is from the row labeling the candidate chosen. Thus, one channel of audio suffices. Optionally, the names of candidates are also read, but over a different channel or with different encryption, so that the voter hears the audio confirmation of the choice but is not provided a copy of that channel, as it could be used so for improper influence schemes.
Turning now to Figure 9, a combination block, flowchart, schematic of an exemplary embodiment of a untrusted- 33 assistant disabilities friendly voting system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. In this embodiment, persons with disabilities communicate their vote to an "assistant," who is then to mark the ballot accordingly. (Settings in which more than one 36 other person marks the ballot, and/or where votes are entered by means other than through a paper ballot, are anticipated but not included in the description for clarity.) A headset 20102 is shown for the voter and another headset 20103 for the assistant. (In some examples, also not described for clarity, the voter and/or assistant optionally does not use audio input 39 but video input or both audio and video; at least one of the inputs, voter or assistant, is preferably kept from being readily learned by others.) The voter optionally uses recorder 20157 to record an audio version of some of the channels, to be described. The voter also receives a marked receipt comprising one half of a ballot having one serial number and both 3 halves forming a complete ballot for a second serial number.
Three scripts are read: one for the first ballot 20133, that has serial number "3434" (as will be appreciated, the same example indicia as that used in other figures), labeled "E" here for clarity as it is one of two; one for the second 6 ballot 134, with serial number "3435" and labeled "F"; and one for the ballot position order 20135, labeled "G." Each of script 20133 and 20134 reads the candidates in the same order as the positions of the holes on the corresponding ballot,
"E" or "F, respectively. In the example, the first ballot corresponds to the one the voter votes, and the recording of script 9 20133 is thus one that would compromise ballot secrecy if provided to the voter. (The ballot the voter does not vote, ballot 20134, once revealed to be so chosen by the voter after voting, is preferably provided in its entirety to the voter for checking against the published commitments.) 12 Each script is shown as transferred in an encrypted analog audio format between some equipment, such as digital playback or TVR means as mentioned earlier, and the headphones used by voters and assistants. This analog transfer is optional and believed useful in some applications as it would facilitate the recording of the encrypted signal by voters is and/or others using standard equipment inputs. However, digital transmission and recording inputs are also anticipated, and would then preferably not use the various conversions between digital and analog and the modem functions, all of which are shown for completeness. In the example analog embodiment, the voice reading the script is shown received in a us digital analog form and then compressed digitally using a so-called "codec" function for speech, 20187a, 20187e, and
20187Ϊ, for each of the respective scripts 20133-20135. Then the signals are encrypted, as described elsewhere, and such as by conventional encryption techniques, as shown in boxes 20187b, 20187f, and 20187J, respectively. After encryption, 2i the three output digital signals are converted to analog, by first passing through modems 20187c, 20187g, and 20187k, respectively. Then these three outputs are converted to analog for transmission by digital-to-analog converters 20187d,
20187h, and 201871, respectively. 24 The inputs to headphones 20102 and 20103 are shown as bold analog lines. The output of d-to-a 201871 is the input to headphones 20103 for the assistant, providing the position information. Voter headphones 20102 are sourced input from each of the ballots "E" and "F" as well as the positions "G" under the control of switch 20188a. The voter is to ay choose which of the two ballots "E" or "F" to vote; the other ballot "E" or "F" being made available to the voter for checking as already mentioned. One of the three inputs at a time is shown being selected by switch 20188f. When contest
20141 and such data is playing to headphones 20103, it is preferably also playing to headphones 20102, and thus selected so by switch 20188f. (When serial numbers are read, they are for clarity shown only to headphones 20102, however, they are optionally also provided to headphones 20103 by a switch not shown.)
Each of the headphones has associated circuitry to convert the transmitted signal to audio. In the example, this 33 includes a first analog to digital conversion, 20188a or20189a. This stage is followed by the modems 20188b and 20189b, respectively. These signals are the decrypted by decryption circuits 20188c and 20189c, respectively. Then codecs
20188d and 20189d convert the decrypted binary stream to digital speech samples and provide this as input to digital to 36 analog conversion 20188e and 20189e, respectively, for input to headphones 20102 and 20103, respectively.
It will be appreciated that the voter and/or various observers, including the assistant, preferably are able to record parts of the audio, whether from an analog signal, as shown by single example recorder 20157, or by a direct digital 39 coupling not shown for clarity. What the assistant hears is preferably recorded in its entirety, as indicated by the bold line from the assistant signal to recorder 20157. The voter hears the candidate names in the order corresponding to the ballot that is being marked and will be deposited, as indicated by the leftmost inputs to switch 20188f; the candidate names for a the other order, however, are selected as an output by switch 20188g and provided to recorder 20157. In another example embodiment, not shown for clarity, streams of names for both ballots "E" and "F" are provided for recording without switching: the switching is carried out later by the decision about which key to provide to the voter and which to
6 withhold. Also the voter preferably indicates which positions are to be marked, such as by input means such as buttons 20156 as already described (and shown for clarity but not shown connected to the underlying control system not shown for clarity in this embodiment) and, and these are preferably included on the audio channel fed to headphones 20102, 9 20103 and recorder 20157; these are believed to allow the voter later to verify the faithfulness of the marking by the assistant and for the system, optionally, to check the markings when they are scanned, as already mentioned for other embodiments. 2 Four ballot sheets are shown: a top and bottom sheet pair 20112a and 20112b for a first ballot and top and bottom sheet pair 20113a and 20113b for the second ballot. One of the four sheets is to be provided to the assistant and marked by the assistant. To make that sheet appear similar to other sheets marked by voters in pairs, a template 20115 with holes s similar to a top sheet is provided for use on the bottom sheets 20112b and 20113b. Similarly, to absorb the ink through the hole in the case that a top sheet is marked, bottom blotter 20114 is optionally provided.
In operation, the voter makes the selection on switch 20188f, which causes corresponding opposite selection on 8 switch 20188g (or later release of the corresponding key when both channels are recorded in encrypted form). The ballot the voter listens to is the one that the voter then provides one sheet of to the assistant. For instance, if the voter chooses to listen to "E," then recorder 20157 records "F" and assistant is given one of 20112a or 20112b; or, if voter chooses to 1 listen to "F," then recorder 20157 records "E" and assistant is given one of 20113a or 20113b. Then the voter hears the corresponding ballot number followed by a contest and candidate list. The voter selects one of the candidates as it is read and this choice is indicated, preferably by input means 20156 and preferably translated to audio such as by a distinctive 4 audio tone, and this indication is preferably recorded by recorder 20157, learned by control mechanism not shown for clarity as mentioned, and made known to the assistant, who marks the corresponding position. After the voter finishes voting, the marked sheet is turned in, preferably for scanning, and then it is returned to the voter. Those running the 7 election, or automated means, preferably check that headphones 20102 were listening to the channel corresponding to the sheet marked (or the corresponding key is provided) and that the other sheet of the pair marked is not released to the voter. The voter optionally then checks the recorded candidate orders against those posted on the voided released 0 complete ballot and/or against those printed on the voided full two-sheet ballot taken. The indicated positions recorded are preferably optionally checked, such as by the voter, against online information, to ensure the faithfulness of the marking by the assistant and/or the accuracy of scanning by the system. 3
Various generalizations, extensions, and variations are anticipated in keeping with the scope of the inventive concepts disclosed here. All manner of combinations that do not violate privacy and allow audit are anticipated. What the « voter hears and/or sees, however, is preferably kept secret to the voter; what the assistant sees/hears is preferably not secret so that it can be recorded. Nevertheless, either or both the assistant and voter can receive secret information in audio and video; the voter and/or assistant optionally receives additional secret information from indicia on a ballot part. 9 And furthermore, recording is optionally partial, such as with a log printer telling the assistant what to mark, but without timestamps so that the log does not reveal the timing of the instructions. Moreover, what secret information the voter and/or assistant receives (referred to here generally as a "presentation" to the voter or assistant) in some examples, such as those already described with reference to Fig 5-8, is related to the vote encryption indicia on the ballot forms, and in other examples it is separately committed. For example, such information can be in parts that combine to the printed indicia and/or it can be substantially independent. An example embodiment that is believed adaptable to both assisted and unassisted is now described, based on the embodiment of Fig 9, but not shown in all cases in the drawings for clarity. Everything is preferably committed to in advance and then opened for the ballot the voter in effect spoils in audit. As one example, the order for the assistant is fixed, so that the tape of the tones and what the assistant hears ("G"), or even a video of everything including what the assistant hears/sees/does, can be recorded and/or made public; the voter chooses between two committed sets of instructions and corresponding ballot forms ("E" and "F"), without the untrusted equipment knowing the choice until afterwards. (Also, related examples are described with reference to Fig 15.) An optional variant, without an assistant, is where the voter marks the positions as instructed by the chosen channel. For a sighted voter with assistant, the data is supplied visually (optionally by the ballot as mentioned below with a generic receipt), but auditory confirmation can also s be provided. Similarly, for the assistant, either or both audio and video are optionally supplied, as mentioned. The voter may of course be allowed to hear and/or see what is supplied to the assistant including position indications and tones, as mentioned. Also, what the assistant hears/sees and even does is preferably recorded by audio and/or video means, as s mentioned.
For embodiments where there is a cleartext ballot layer marked, such as that described with reference to Fig 17, and also where sighted voters read the complete form but instruct an assistant where to mark, a "generic" receipt form ! optionally is marked by the assistant. Such a marked generic receipt forms would preferably include the relevant serial number. It is preferably scanned and used in the tally, with the absence of any cleartext indicia apart from serial number that is missing preferably ignored by the scanning system. Where counts are provided of the cleartext ballots, in some settings a randomized sampling may be preferable, as the tally corresponding to the generic receipts would then not be revealed. In settings where the voter does not use the actual ballot, what will be called here a "privacy shield" can be used to protect the voter's privacy while allowing the assistant to mark the actual ballot form. In one example embodiment, not shown for clarity, an envelope with holes cut in it allowing marks to be made on the ballot it contains serves to hide privacy-sensitive indicia on the ballot from the assistant.
The embodiments described with reference to Fig 5 through 8 are believed extensible also to the assisted case. The voter hears one part and the assistant hears the other part and marks the receipt.
In another example, in keeping with scope of the invention, a standard audio of the candidates is provided (optionally with ballot rotation) and the assistant hears one of two orderings, each indicating where the corresponding marks are in the standard order on the particular ballot part or generic receipt actually used by the assistant (logging without timing would be an acceptable recordation). In still another example, both orders are randomized, voter or assistant gets two versions to choose from, or there are two versions each chooses from in a coordinated manner. With two randomized parts, for instance, the voter can take a tape of what the voter heard or of what the assistant heard.
The assistant in some embodiments receives only an indication from equipment of which position to mark when the voter signals and a record of these positions, preferably apart from temporal information, is permanent and provided to the voter and/or assistant, such as with a logging printer without timestamps as mentioned. In some examples, two orderings are used that differ from what is printed but are equivalent in effect, and a mapping between the two is committed in advance and opened afterwards for the spoilt half; which half of the form the voter takes can be decided 3 later or no half can be taken.
As other examples, audio streams are optionally digitally signed or otherwise authenticated. Whether they are recorded by voters/observers in analog or digital form, digital authentication is well known by those of skill in the 6 cryptographic authentication arts as being readily added to confirm the other data/sounds on the channel. Such authentication preferably allows immediate confirmation that the recordings are not readily disavowed by those operating the election. Various techniques, such as so-called "undeniable signatures" or delayed release of public keys allow some b restrictions in who can make and/or convince whom of the authentication.
In an unassisted voting setting, such as that described with reference to Figs 5 through 8, optionally two ballot forms are presented to the voter and the voter is able to select between them in a way substantially not known to the 2 system until after the ballot is marked. Like the embodiment of Fig 9, this allows the voter to listen to a single channel, chosen from the multiple possible channels. In such an embodiment, the voter can for example take one of two ballot/disc combinations into a booth, listen to one and mark the corresponding ballot accordingly and then surrender the one s listened to while optionally keeping the other one for audit. Which of two layers of ballot are taken, in the case of punchscan or related symmetric systems is believed the voter's free choice after marking; in non-symmetric systems, such as those to be described, the choice of layer to take is determined. 8 Multiple contests are anticipated, including ballot questions and candidates for offices.
Voters are generally provided authentication, preferably such as so-called public key digital signatures, related to the parts taken in each media, which can also safely be checked without the party checking learning the votes. More than 1 two layers of paper and/or parts of the audio are anticipated. The option for voters to change tracks for particular contests is also anticipated.
The electronics, wherever incorporated, are preferably on transparent substrates and include transparent covering 4 over chips and passive elements. Simple standard chips are believed preferable to larger and/or custom chips. Switches are preferably easily seen mechanical structures.
Special headphones are anticipated. Transparent or at least partly transparent and/or translucent parts are believed r advantageous. In some examples, they allow observers to verify that the voter has not placed any transducers inside. In particular, transparent plastic such as vinyl ear cups including transparent gel, such as silicon gel, and/or liquid are desirable. Similarly, molded plastic parts are preferably made from transparent thermoplastics. Speaker cones are 0 optionally formed from transparent material. Instead of foam, liquid or gel is preferably used to provide passive sound isolation, to reduce the sound transmitted outside the headphones. Another protective measure is to mask the acoustic information emanated with suitably chosen randomized signals from transducers configured towards the outside of the 3 sound isolation enclosures.
The electronics of Figure 6 and/or Figure 7 are optionally incorporated directly in the headset. When those of
Figure 7 are included, a single plug for a recorder is preferably provided. Means are provided to allow the voter to move 6 the normally-open switch to connect one of the two channels to the recorder, but the switch is preferably structured so that it then must be reset by a key held by election workers. Without that key, which choice was made is preferably hidden within the device; using that key, or a separate key for the purpose, the state is revealed before it can be reset. For 9 example, one key is needed to unlock the little door that exposes the mechanical switch and another is needed to reset the mechanical latch holding the voter chosen switch setting. The headset preferably does not operate until the voter selects one position and it preferably emits an optical/audible signal to indicate that the voter has not yet made the selection, in
3 order to make clear that poll workers have provided the device to the voter in the proper state.
In another example, the electronics are mounted visibly to a steel box preferably built to suitable emanations specifications, not unlike a small first aid kit including a handle. The box optionally serves to hold and protect the e headphones while not in use. The recorder of the embodiment of Figure 7 is placed within the box. Mechanical locking ensure that the voter state cannot be set or reset improperly and that the device cannot be used until it is set by the voter, as described elsewhere here. In particular, positive interlock is anticipated, so that only when the box is closed is a a substantially rigid element, such is used to hold a door open as with a gas spring, is brought into a configuration where a recess or hole in it allows operation. Cables are run out from the box through strain relief grommets that slide into channels accessible when the box is open or that are mountable as a unit through an opening in the box that is preferably
12 closed off by a cover allowing the cables and electronics to be protected inside during transport and storage.
Turning now to Figure 10, a combination block, flow, data, and cryptographic protocol diagram of an exemplary is embodiment of a mixing system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Six instance examples are shown, 30001a through 30001f. The first, 30001a, indicates the initial state published before any audit. The second and third instances, 30001b and 30001c, are is alternative examples illustrating the opening of different rows in initial audit, as indicated by the overarching bracket labeled by the word "or." In the fourth through sixth instances, 30001d-30001f, the example shown in instance 30001b is carried forward (as indicated by the arched "dash-dot-dot" arrow) rather than that of 30001c, as an arbitrary choice for
21 simplicity and clarity. The row that would have been opened had instance 30001c been used, as will be explained (the upper of the two rows marked in the left of the three columns of tables), is the one used for the vote in 30001d-30001f. Instance 3000 Id shows the publishing of the encrypted votes, intermediate results, and cleartext votes, as a sequence
24 connected by arched "dash-dash-dot" arrows. Finally, two alternative instances, again indicated by the "or" above a bracket, are shown with inverse binary challenge vectors of odd parity.
A particular notation is adopted for clarity. It indicates the content of the respective cell in the published data table n rectangles: Light gray indicates values committed to; white is values yet to be filled in; black (for rows) and darkest gray (for whole columns) are values that have been committed to in earlier instances and are now opened. Light line texture, medium gray dot texture and dark line texture indicate the public encrypted votes, intermediate mix values, and cleartext so outputs, respectively. Cells with a circle symbol in them are opened ballot parts. The straight lines with arrowheads indicate correspondences between data cells within an instance: "thicker dash-dot" lines being hidden correspondences, solid thinner lines being correspondences revealed in the initial audit explicitly by the data pointers in the corresponding
33 data cell where the line originates, and "thicker long-dash-short-dot" lines indicated the correspondences revealed in the final audit by the opening of the data cells containing the pointers.
Referring now to the first instance, 30001a, the table structures are described. These appear again in each of the
38 remaining five instances, 30001b-30001f, but are not labeled again for clarity. Four tables of data are shown: ballots 30011, example intermediate batch 30012 and example intermediate batch 30013, and cleartext votes 30014.
Each row of table 30011 corresponds with what will be called here a "potential" ballot: a set of data cells that if
39 opened during initial audit is not used further or which if not opened in the initial audit at least potentially goes on to serve as corresponding to an actual ballot. The first two columns of table 30011 each correspond to a different one of the two parts of such potential ballot: for concreteness, it the leftmost column will correspond here to the top sheets and the 3 middle column to the bottom sheets. The data cells of these two columns are informational copies of what would be printed on the corresponding ballot sheet. These two columns are shown in gray, as indicated above, corresponding to their initial state of being hidden by commitments. The rightmost/third column of table 30011 is initially empty but is c where the encrypted vote from the corresponding ballot will be posted once it is determined (such as by scanning a ballot).
The two intermediate tables 30012 and 30013 are examples of the parallel audit instances: ultimately, one or the 9 other half of each will be opened in a final audit stage. Each row corresponds to a potential ballot, again whether or not it survives beyond the initial audit. Even though the height of 30012 and 30013 is less relative to 30011 and 30014, no fewer rows are suggested. Two example rows are shown for convenience in each 30012 and 30013, but their content is 12 not differently colored than other rows until instances 30001b-30001f. The left and rightmost columns contain pointers to rows of table 30011 and 30014, respectively, as indicated by the gray dashed arrows shown for the two example rows.
The middle column is where the intermediate value, to be described, will be posted (as indicated by medium gray in is instances 30001d-30001f).
Table 30014 is where the cleartext votes will be published for tally. Those rows that survive the initial audit and for which ballots are scanned, will be filled, allowing anyone to tally the votes. The final audit will check the accuracy of is that filling.
Referring now to instances 30001b and 30001c, two example initial audit choices are shown. In the first, 30001b, the lower of the two indicated rows in table 30011 is chosen for audit; whereas in instance 30001c, the upper such row is 21 so selected. The, accordingly for each intermediate table, two of which as mentioned are shown, 30012 and 30013, the commitments of corresponding rows are to be opened. It is believed that, depending on the size of the election and other specifics, some number of rows in table 30011 would be selected unpredictably for audit (for instance as a result of a 24 publicly verifiable physical random generator, as in lotteries), such as, for instance, half the rows.
When a row is opened in an intermediate table 30012 or 30013, all four committed values are opened, as indicated in black. The middle value is still empty in instances 30001b and 30001c, and so it is not shown as opened. There are two 27 types of checks made on such a row: the "links" and the "transformations." First consider the links. As will be appreciated, for each particular row selected for opening in table 30011, the leftmost pointers in all opened rows of tables
30012 and 30013 should point to that row in table 30011 and the rightmost pointers of those rows in table 30012 and 30 30013 should point to the same row in table 30014. If the pointers do so point, the initial audit of the links will be deemed not to have detected fraud. This can be seen in the two examples 30001b and 30001c.
In addition to the links, just described, the initial audit checks the way that the "encrypted votes" are transformed 33 into "cleartext votes." The two leftmost columns of table 30011 record the information content of the indicia on the sheets of the ballot. They cause the cleartext vote to be transformed from the cleartext vote to the encrypted vote. This transformation will, in known and previously disclosed manner, be considered for clarity and concreteness as the 3β application of a group operation between two group elements: the cleartext vote and a group element determined by the cells of the two columns. When the two group elements from the corresponding row of an intermediate table are successively applied to this, the result should be the cleartext vote back again. If the group elements do so combine, the 39 initial audit of the group elements will be deemed not to have detected fraud. Referring now to instance 30001d, shown as mentioned is a continuation of the example of instance 30001b, after the initial audit is completed successfully and the votes have been scanned. First the encrypted votes are posted, shown by a the dark line texture column, the rightmost of table 30011 (where the entries for the rows opened in the initial audit are left blank, as the corresponding ballots are not used). The particular row the encrypted vote corresponds to is determined by the "serial number" identification indicia on the ballot, which corresponds in a public way, such as by being the row B number. The example row is shown with circle-containing cell entry for the left column, corresponding to the voter having, continuing the example mentioned above, chosen to keep the top sheet. The commitment for the indicia on the top sheet is opened and the voter can show the receipt if the value differs from that on it. Also shown, for clarity as a a dashed row, is an example where the voter kept the other sheet as indicated by the circle-containing cell being in the middle column.
Once the encrypted votes are known, the intermediate values, shown in medium gray as mentioned, can be
12 determined as can the final decrypted ballots, shown in "light line texture" as mentioned. These values are believed, as will be appreciated, preferably posted in the natural ordering from left to right, first for tables 30012 and 30013 and then for table 30014, as indicated by the dot-dash-dash arrows. The dashed gray linking arrows indicate that which row in each
15 intermediate table 30011 and 30012 points to a particular encrypted vote or a particular cleartext vote remains hidden at this point. (The opened row from instance 30001b and its thicker dashed links remains shown for concreteness.)
Referring now to instances 30001e and 30001f, alternative audit phase examples are shown. In instance 30001e, is table 30012 has its left side audited and table 30013 its right side; the opposite choices were made for example instance 30001f, where the right side of table 30012 and the left side of table 30013 are to be opened. Again, the "or" labeling the brace indicates that one of the two example instances is carried out, as will be appreciated, keeping hidden the linking
?ι between actual published encrypted votes and published cleartext votes. The long-dash thick arrows indicate parts of each linking, but it is believed do not provide enough to reveal any whole linking. When a column in an intermediate table 30012 or 30013 is opened, the group elements it contains are preferably checked using the links opened: a left side
24 opening (such as for table 30012 in 3000Ie) allows the group operation to be applied to the group element revealed and the published encrypted vote pointed to, and this should equal the intermediate value group element in the middle column, shown in medium gray; similarly, a right side opening (such as for table 30013 in 3000Ie) allows the group π operation to be applied to the intermediate value group element in the middle column, shown in medium gray, and the group element revealed, and the result compared for equality with the cleartext vote pointed to in table 30014.
so Turning now to Figure 11, a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of a mixing system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. The process begins with entry point 30201. As shown in box 30240, all the
33 potential ballot details are determined, preferably from a true random process or a cryptographic random process, so that they are substantially unpredictable and preferably uniformly distributed. For each potential ballot, as per box 30242, the indicia of the two halves are each separately committed, in the left and middle columns of table 30011. Next, box 30244
36 shows the public random selection of some of the potential ballots for opening.
Once the initial audit is completed in box 30244, the physical ballots are printed as per box 30260. Then voters vote the ballots, as described in box 30262. During voting and/or after voting the information marked on the ballot is
39 scanned or otherwise captured, including the positions marked, the serial number, and which of the top or bottom sheet the voter keeps. Then box 30266 depicts the opening of the commitment on the indicia on the sheet retained by each voter. If the sheet is scanned and returned to the voter, then the sheet retained by the voter is that scanned; if the sheet is
3 deposited by the voter and the other sheet retained, then the sheet scanned is that deposited and the opposite sheet is retained, so the sheet other than that scanned has its commitment opened in table 30011.
The intermediate table entries are preferably next filled, corresponding to the middle columns of tables 30012 and
B 30013 in the already described examples, as shown by box 30280. The values of this cell, for each particular row, is determined by applying the group operation to the transforming value in the left of center column and the encrypted vote pointed to by the leftmost column. The cleartext votes of table 30014 are readily determined as portrayed in box 30282 9 from any of the intermediate values, by applying, for each row, the group operation to the intermediate value and the right of center value and placing the result in the row pointed to by the corresponding rightmost column. Finally, box 30284 shows the preferably public random selection of which halves of the intermediate tables to open, such as the right or left
12 halves of tables 30012 and 30013 as already described. The audit checks that the values revealed, when combined with the intermediate value using the group operation, properly correspond to the value pointed to by the adjacent opened entry. The end of the process 30202 is when sufficient values have been opened for post election audit. Further values are
15 optionally opened later, as optional additional instances of box 30284.
Commitments, as will be appreciated, are known. In the cryptographic art, for instance, commitment schemes are known that are provably unconditionally unchangeable but only computationally hiding and these are believed preferable
18 for election systems. Such provable commitments are believed to require substantial computation and storage. A hybrid approach entails such a "quality" commitment to a key, and then the key being used to commit to a much larger value, such as by x-or of a pseudorandom sequence generated by the key. It is believed that the hybrid has the properties of the
21 underlying quality scheme.
In the present application, it is believed that hybrid schemes are well suited to the commitments for the halves of intermediate tables such as 30012 and 30013. The commits to each individual cell in table 30011 are believed numerous
24 and would benefit from a conventional symmetric encryption type of commit, where the key is the secret revealed to open the commit. In order to maintain the properties of the quality commitments, however, each such key is preferably divided into pieces and each piece associated with the corresponding pointer of a corresponding intermediate tables, such as
27 30012 or 30013. Thus, on average half or so of these columns would be opened, and half or so of the bits of the keys used to open the rows of table 30011 would preferably then be subject to double check, ensuring their quality with high probability. Care is preferably taken that not all the left sides of intermediate tables are opened, leaving enough
3o uncertainty about the keys to make them infeasible to guess. (Right halves of the intermediate tables optionally also reveal parts of the ballot commit keys, thereby increasing the key size and lowering the chance of substantial collisions.) It is believed that the left two columns of each intermediate table are preferably created pseudorandomly and that they
33 then determine the right pointers and the keys for the commits in table 30011. The ballot parts are preferably independently created and in turn then determine the value of the right transformations. An example optional way to create the ballot parts is to create each pseudorandomly.
36 In addition to hybrid schemes, "redundant" schemes more generally are anticipated. With these, a commitment to some data is made with more than one scheme, and in some cases both are always opened, perhaps one later than the other. Thus, quick commitments are preferably used for each data cell and opened first. Then, redundant commitments are
39 opened later for verification. Furthermore, it shall be understood that use of conventional cryptographic encryption can be applied to form commitment schemes of high quality. For instance, publishing a commitment using the same key to some constants
3 chosen as a kind of random challenge initially allows more confidence in the unique key opening. Similarly, the more "independent" and "redundant" data encrypted with a conventional commitment key, the more likely the key revealed in opening is unique.
6 Many variations and modifications are anticipated without departing from the spirit and scope of the present invention. For example, division between multiple trustees for robustness is optionally accomplished by so-called secret- sharing of the secrets for opening each set of mixes. As another example, the tables are split into partitions horizontally so
9 that multiple challenge bits can be applied in the final audit of a single intermediate table. As a further example, the contests are divided into disjoint "partitions" that each have their own intermediate batch tables and cleartext votes tables but share the common ballot table, thereby hiding the correlation between contest results across partitions. A still further
12 example allows more than one subset of the ballots from a single set of tables to be voted and audited together as needed after the table structure is fixed.
is In systems related to those described with reference to Fig 12 and Fig 13, generally, voting is anticipated in substantially seven example types of setting:
(a) in person with automated scanning; is (b) in person with manual ballot box;
(c) remote, where a single piece of paper is mailed in ;
(d) remote, where two pieces of paper are substantially separately mailed in; 2i (e) in person by voters with visual disabilities marking; and
(f) in person voters by voters with disabilities having assistance in marking.
24 It is believed that a substantially two part form is sufficient for settings (a), (c), (e), (f). A three part form is believed more appropriate for settings such as (b) and (d), where three different dispositions of parts of the form are natural. It is believed that two-part forms can be used in the setting where three-part forms are preferable, but that privacy a? may be diminished particularly for the direct as compared with indirect marking interfaces. As will be appreciated, settings (a), (c), (e), (f) each have two variants: where the voter identity is not linked to the marked image or artifact retained by those running the election, and that where it is in order for the handling of so-called "provisional" or "vote-
30 from-anywhere" ballots. In the linked case, privacy afforded by the ballot information associated with the voter identity is preferably not readily violated. With mail in ballots, linking to some degree is preferable in making the eligibility decision based on an affidavit or the like, which is believed to impede some improper influence scenarios; however, it is
33 preferably also to the entity that cannot link to votes unilaterally.
Turning now to Figure 12, a combination schematic and plan view of an exemplary embodiment of two-sheet 36 combination ballot in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. A perspective view is shown in Fig 12A, while two-up views of each side are shown in Fig 12B and Fig 12C. (The end view is from the bottom.) As will be appreciated, two separate ballots of the type shown as in Fig 1 are in effect combined into a single form in the lower half. I the upper half, a ballot with marks next to candidate names is shown with the marks to be made through the holes provided in the dotted ovals shown on the inner layer, as will be seen. Each of the two outer sheets has a different serial number, in the example they are linked as an odd/even
3 pair. A perforation line is shown to allow the serial number part to be separated from the main part, thus four separable parts in all. The identification number for the inside layers are substantially independent. Moreover, each has a "code" prefix before the dash, "12" for the left and "55" for the right, which codes will be explained. β Turning now to Fig 12D-M, various views and online images are shown. Fig 12D shows the unvoted ballot form as viewed with the odd serial number up. Fig 12E shows the orientation of Fig 12D but voted, with a dotted oval for the third candidate "Arthur Lint" shown filled, such as by hand using a pen, and a daub over the letter "C," being a vote for 9 "Ed Ant," as the candidate labeled by that symbol on what is in this orientation the top sheet. When the two sheets are separated at the vertical perforation, the odd one has no marks on it, as seen in Fig 12F. The voter preferably also retains the upper foil from this unmarked form, the inner side of which is shown in Fig 12G. The inner surface scanned and that 2 serves as the rest of the receipt is shown in Fig 12H. When the voter goes online, the number on the main receipt is entered and provided to the online system; the code from the slip described in Fig 12G, however is entered locally in software preferably run at the user computer. The image the voter then sees, Fig 121, is a correct synthesized rendition of s the essential information on the receipt, but with the code entered shown. The code preferably maps the data provided to the local computer, such as by an Abelian group operation, so that any pattern of marks is equally likely if the code is independent and uniformly distributed. This is illustrated further in Fig 12 J, where the wrong code is entered and the s marks are randomized in their positions.
The reverse side view of the voted ballot is shown in Fig 12K for clarity. The reverse side of the receipt, however, is shown in Fig 12L, which matches that from the right side of Fig 12B. What is preferably also displayed for audit by the 1 voter is an online view of this that is augmented to include the identifier on the strip the voter kept from Fig 12G, but with the code substituted for "55," that one the receipt. Thus the voter can check all the other printing against the online version. 4 It will be appreciated that, for example, if one of two parties prints the two-up indicia on the outside of the form,
Fig 12B, and the other party prints the inner two-up indicia of Fig 12C inside the form (they use the common identifier printed on the inner is used to coordinate the printing), and the inner-printing party does the scanning, then neither party 7 alone learns the votes. The scanning party does not learn the votes because the scanning party does not know what is on the corresponding outer, as the other party printed it. But the scanning party does know the code the voter has and provides the posted information so that the code is needed to decode it. The non-scanning party does know the outer o printing associated with the common identifier mentioned and available online, but the outer printing party does not know the code used to permute the vote-determining information on the inner sheet rendered in Fig 121. Since the unused to parts are shown in clear, they can be checked against the posting and cheating in printing by the parties would be 3 detected, as the commits for those parts would be opened after the scan is made. The serial number for rendering is from the opening of the commitment by the outer-printing party.
ϋ Turning now to Figure 13, a combination schematic and plan view of an exemplary embodiment of three-sheet combination ballot in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Fig 13 A shows the three-up version of the ballot with the candidate names, 9 corresponding to the Fig 12B, but with the extra sheet on the right that is "C-folded" into the middle and has the smaller holes in it. (The end view is from the top in this figure.) Similarly, the three-up plan view of the other side shows the indicia essentially of fig 12B, but with the additional panel on the left. The identification number for the sheet with the
3 small holes only appears on this printed side for the inner part — it will be recognized when the party that printed the inner side scans and will allow it to thereby determine the other serial numbers and the codes.
Turning now to Fig 13C-L, similar views are presented as were already described with reference to Fig 12. The
B unvoted view of the side that will be voted in the example is shown in Fig 13C, where the middle circle is from the small holes already mentioned. Voting is shown by daubing and the middle two positions are marked in this example as shown in Fig 13D. The daub marks can be seen on the sheet with small holes in Fig 13E, which is the sheet provided for double- s sided scanning by the part who printed the inner side Fig 13B. The voter again keeps the part of opposite top, shown as Fig 13F, but that top part is destroyed. The voter also has the bottom part marked, Fig 13G, which is then compared to the online version Fig 13H. Since the code is used locally, the correct printing and mark positions are rendered; but as seen in 2 Fig 131, without the correct code, neither mark positions nor symbols are likely in their correct place. Again, the voter is able to check that what looked like Fig 13J before voting, and looks like Fig 13K, now as the back of the voted bottom Fig 13G, is shown correctly online with its serial number "2765651." Also shown is the identification for the other side s and the code from the marked side, as with Fig 12.
Turning now to Figure 14, a combination block, flowchart, schematic, and protocol diagram of an exemplary s embodiment of a combination disability friendly voting system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. In this example, two different ballot sets are shown and the voter has preferably been able to choose which one. The system does not know which one. The assistant i only marks the lower sheet from Fig 12, based on the signal from the voter who is listening to the correct order of candidates (but which order the voter listens to is unknown to the system). The translation by "G" allows the orders the voter hears to more convenient, especially if two different "G" values are used, not shown for clarity. Also, as will be 4 appreciated, a similar setup can be used for two ballot sets more generally. The voter also keeps the code for use in audit, as shown in the screen images. This setup and process is substantially similar to those already described with reference to Fig 5-8. 7
Turning now to Figure 15, a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of an untrusted-assistant combination disability friendly voting system in accordance with the teachings of o the present invention will now be described in detail sufficient for those of skill in the relevant art. This setup and process is substantially similar to those already described with reference to Fig 14 and also Fig 9. It will be appreciated that giving the voter the choice of two complete ballot sets, but not letting the system know which one until afterwards applies 3 generally. The audio for the assistant shown can, as mentioned be public and/or replaced by visual signals. The voter signals the assistant using temporal signals or by speaking or signing numbers, for example.
R Turning now to Figure 16 a combination block, flowchart, schematic, and protocol diagram of an exemplary embodiment of a two-party mixing system in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Values of various types are shown as entries in the three 9 matrices of five columns and the two of one column. The dashed lines between the matrices illustrate the values of the pointers and indicate each pair of rows, one per matrix, with values corresponding to the same ballot. The numbers to the left of each row of the leftmost matrix are row numbers that apply to the position of rows in the matrices themselves. The rows of the matrices are comprised of entries called cells, one per column. Each cell is of a particular one of three underlying data types: pointers (shown darkest gray) to other rows; transformation parameters, and the actual values corresponding to votes in various stages of processing. The underlying data types appear in either encrypted or "committed" form and decrypted or "cleartext" form, and some change from encrypted to decrypted form as processing proceeds through an election cycle. The pointers and transformation parameters (shown as table entries with various gray backgrounds) in particular appear initially in encrypted form and are selectively decrypted later, preferably in accordance 9 with challenges. The vote values (shown as table cells without gray background) generally appear in cleartext, although they are subject to transformations as will be described. The cleartext representation shown for both vote values and transformation parameters is shown as integers modulo three, for clarity. The transformation operation is shown as addition modulo three, for clarity, although for multiple vote contests particularly, more general bijective mappings are anticipated, as would be readily appreciated by those of skill in the cryptographic art (for instance, composition of arbitrary randomly chosen group operation being well known). s Two entities, the "receipter" and the "Tallier" are shown in the preferred embodiment. The receipter knows the keys to the encryptions of the leftmost two matrices; the tallier knows those for the five-column matrix on the right side. Accordingly, the receipter knows the leftmost two row permutations and the tallier the rightmost two. The five matrices can be thought of as a single "virtual matrix" if the rows are taken to be re-ordered so that the row permutations are the identity. (Preferably each matrix has the same number of rows.) The secrecy of the ordering of the rows, however, protects privacy. The middle matrix, with its single column, is taken to be in the order of serial numbers of the i corresponding ballots for clarity and simplicity. The linking of this order to the tally order is kept secret by the tallier, even though there may be more than one instance of the right five-column matrix. Similarly, the middle five-column matrix hides the linking of the serial number order to that to the "receipter's secret ID" that orders and allows voters to find the corresponding posted rendering precursors. (In some embodiments, a further indirection to the receipter's secret ID is provided, the receipter's super-secret ID, such as by a separately committed to and individually openable mapping, to allow the receipter but not others to link, as will be explained.) Multiple instances of the two permutation-containing matrices are preferably used in parallel, as will be appreciated, but not included here in the description for clarity. Operation, in overview, includes a series of transformations. This begins from the leftmost column posted "rendering precursor" (v -p), which when combined with the scramble digits from the ballot on the voter computer should reveal the actual mark positions (m). After moving across from left to right, and being transformed and switching rows in accordance with the transformation parameters and pointers, the final result is the cleartext vote (v). Thus, the modulo three values in the "tally" column are preferably for clarity interpreted as corresponding with zero-based indexing to the three candidates in a pre-determined order, such as alphabetical order.
Overall processing proceeds in three main phases: "pre-election"; "election pre-tally"; and "tally and audit." Preelection, the first phase, posts the pointers and transformation parameters in encrypted form. Then a preferably public random selection is made of these values, such as by indicating certain rows, for instance by the index of the "shared value cell," which is preferably the ballot serial number. The keys that allow these rows to be decrypted are then revealed, thereby "opening" the "commitments." Any interested observer is then able to check that the pointers are followed and that the net effect of the transformation of the resulting "virtual row," apart from the leftmost matrix, is correct, and that the pointers are at least distinct. Substantial probability of correctness of the postings can be established by this phase. 3 Election pre-tally, the second phase, entails two aspects, posting of "rendering precursors" and opening of rows indicated as unused in the voting. These preferably proceed in batches, preferably synchronized so as to provide a simpler voter experience. Voters are able, once their ballot batch is posted, to see two things preferably in their own information 6 processing system (pc): the unused serial number of the pair of serial numbers forming the ballot is posted and matches that unused part of the ballot form the voter retains; and that the marked positions (and their symbols, where used) match that viewed when the scramble code and receipter secret number are entered and processed locally. 9 Tally and audit, the final phase, entails releasing the outcome and public verification that transformations, substantially and at least with substantial probability under the assumption of random challenge, are correct. (As will readily be appreciated, the values can optionally be encrypted and selectively checked without revealing the tally, 12 preferably even to either entity, as a kind of robustness test of the transformations.) All the values will be posted substantially at once, first by the receipter entity and then by the tallier entity, for simplicity in explanation and clarity.
Verification of the transformation proceeds as with previously disclosed systems referenced earlier: one or the other of is two halves are requested to be opened, but not both, and optional parallel instances provide additional verification.
The formula notation indicates the basic transformations and their relations. The formula corresponding to each pair of transformations indicates the net effect of the pair. The values rl, r2, and tl, correspond to the two transformation 18 pairs by the receipter and the single pair by the tallier, respectively. The same symbols with a comma and second numeral appear in the labels above the columns. Without the comma, the transformation is the net combined transformation (the sum in the case of addition modulo three); the values with the same symbol but the two different digits after the comma 21 have a combined net transformative effect equal to that of the symbol without the comma. Thus, for example, applying rl,l and then rl,2 give the same transformation as applying rl.
The formula for a value column gives a closed form for the value of each of its cells. The values v,p, and m have 24 already been described. Each is instantiated once per virtual row. As will readily be appreciated, each entity introduces a transformation corresponding to its printing. There is a shared but otherwise preferably random transformation s (=sl+ s2) that is know to each party to relate to each row of the shared value column. The receipter includes the shared a? permutation in two stages, first si and then s2, and then the tallier removes both of them. Transformation -pi is what lets the posted rendering precursor not reveal the actual mark m. With direct marking, only one permutation, pi, is nontrivial; with indirect marking involving printing by both entities, both pi and p2 preferably correspond to printed so transformations.
Turning now to Figure 17, a combination schematic and plan view of an exemplary embodiment of a carbonless 33 ballot form in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Fig 17A-C shows a ballot formed from a substantially sheet material such as paper or the like with a so-called "carbonless copy" functionality preferably on the inner surfaces, those surfaces exposed in Fig 17C. The 36 so-called "self-contained" type of carbonless coating, such as that made by Appleton of Wisconsin under the name SC NCR paper and product number 2751, being an example. The printing on the outside surface of the folded and preferably pre-perforated form, as shown in Fig 17A, has as examples two contests each of three candidates. The serial number, 39 765653, is shown on Fig 17A. The order of the candidates is preferably arranged related to the serial number according to an encrypted voting scheme, as disclosed in references mentioned. It will be appreciated that an optional extra set of the same contests is shown printed on the reverse side of the ballot, as seen on the left half of the so-called "two-up" front 3 surface of the form shown in Fig 17B. One advantage of such apparent redundancy is believed to be that it provides voters the ability to keep a valid ballot that they or others can then audit, a technique mentioned elsewhere here and generally useful, as will be appreciated. Another believed example advantage is allowing the voter a chance to fill the 6 form again in case of a mistake.
When the voter fills an oval — as with current optical scan systems — next to the candidate in a particular contest, the mark is transferred onto the other layer of the still preferably folded form through the carbonless system function. 9 (The optional large ovals shown on the inner surfaces are an example graphic to help voters interpret the positions of marks formed on that surface of the receipt.) As will be appreciated, using an SC layer, such as a fully coated exposed surface of Fig 17C, means that the mark is also visible on the inner side (the side shown on the left in Fig 17C) of the 2 sheet marked as well as the inner side of the other sheet (exposed on the right in Fig 17C).
Such double-marking is believed an advantage as the scanning of the sheet submitted preferably is double-sided and detects the images of the marks created by the carbonless and preferably uses the additional information to help s improve the accuracy of the scan. For instance, the system preferably warns if the marks on the inner surface (left side of Fig 17C) do not reflect those on the front surface (right side of Fig 17B). It is believed that using such inner carbonless mark, instead of or in addition to the corresponding outer mark, provides additional uniformity and information about s voter marking. For instance, some marking instruments, such as certain pencils or colors of ink, do not scan well in some systems; with the carbonless, the mark color is determined by the dye. Moreover, marking pressure is indicated in carbonless images. In the case of the SC mating carbonless surfaces, they receive almost exactly the same pressure and i thus produce substantially similar marks, ensuring that what is on the receipt is also essentially read during scanning of the ballot. Tin's is in contrast to most copy technologies, where it is never sure if the copy reflects the original.
In production, the forms are preferably printed on the inner layer and perforated for folding in a first step, as this is 4 preferably the same per ballot. Then the outer surface is printed, with unique serial number and corresponding permutations of candidate names per contest as known. If folding precedes the outer printing, then smaller format printers, including so-called demand printers, can be used, which may be an advantage in some applications. In large- 7 volume production, so-called web printing is preferably used followed by die cutting and/or sheeting equipment, as is known. Two cooperating carbonless coatings, such as applied by modified offset printing as known, one located behind each set of ovals on the front surfaces on both sides of the inner layer, are preferable, as the amount of coating material is 0 reduced compared to full coating and marks resulting from handling can be reduced by separating the layers.
In a novel example embodiment, two separate two-part carbonless chemistries are used, one part from each applied to each layer; the result appears to work like the SC type, except that when the two layers are separated, no stray 3 marks are recorded as the typically micro-encapsulated activator needed for each sensitive coating is not present in its own layer. The inclusion of so-called "taggants" in the material optionally provides evidence that the marks were caused by the same opposite part. β In operation, as will be understood, the permutations of positions related to serial numbers are committed and audited, such as described with reference to Figs 1-4, Fig 10 and Fig 16. The voter then receives a form preferably folded as shown in Fig 17A, for instance in the mail for so-called absentee voting, or at a polling place, and fills the ovals as 9 usual. If there are redundant ballots, one on each side, as mentioned, the voter preferably chooses substantially randomly between them. After marking as with conventional ballots, the voter is to separate the forms along the perforation/fold line shown, to produce the two separate sheets shown in Fig 17D through 17G. (In particular, ID is the outer surface 3 marked directly by the voter, IE is its inner side; IF is the inner surface of the receipt sheet and IG its outer surface.) The upper sheet, shown in Fig 17D-17E, is then submitted as the ballot, such as to a ballot box, scanner, or mailed in. It will be appreciated that this form is substantially similar to existing ballots and is readable and can be counted by hand if need 6 be. For polling place voting, but not shown for clarity, part of the system optionally includes at least a scanner and screen to shown the voter the results of the scan.
The other sheet, shown as Fig 17F-17G, as mentioned, is preferably kept as a so-called encrypted receipt. The 3 encrypted receipt preferably is also available online or otherwise for checking, as illustrated in Fig 17H, which shows each side of the receipt, side-by-side. The voter preferably has at least the opportunity to check this as in related systems, typically by providing the serial number to an automated system. The large ovals of Fig 17H correspond to those of Fig 12 17F, and in the example are selectively filled as an example way to indicate whether a corresponding mark was recorded for the corresponding position in Fig 17F.
In another exemplary embodiment, not shown for clarity, the association of candidates with positions is mediate 15 through arrows, as in Fig 19. Thus, the order of candidates, in some examples, is optionally fixed, for instance, yet the arrows associate apparently randomized oval positions with each candidate. As another example, symbol pan" matching, such as described with reference to Fig 1, is optionally used. Indirection through graphical or symbolic means, such as in is the examples mentioned, is also applicable for instance to the embodiments of Fig 12 and Fig 13.
Turning now to Figure 18, a combination schematic and plan view of an exemplary embodiment of a sticker
2i palette and associated ballot form in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Fig 18A is what will be called here a sticker palette and 18B a ballot form, before voting; Fig 18C is the palette of Fig 18A after voting and Fig 18D is the corresponding voted ballot. As will
24 be appreciated, each of the example six stickers on palette 18A has the same barcode pattern; preferably these patterns are the same per palette, but at least substantially distinct across palettes. (In some settings, re-use of such patterns for a number of ballots in an unpredictable manner is believed to offer some privacy and provide only minimal risk of abuse, as
27 returned to later.) Also, each sticker shows a symbol pair, a contest number and a candidate identifier.
Referring now to the un-voted ballot 2B, each candidate is shown in the example as being associated with a unique candidate identifier symbol. In the example, symbols are taken as lowercase letters from the same prefix of the alphabet,
30 but other choices of unique indicia per candidate within a contest are believed suitable, such as including different letters per contest, different colors per letter, non-familiar symbols, and so forth. The corresponding committed data is as described in co-pending applications included by reference.
33 In operation, the mapping from symbols on the stickers to candidates, related to serial numbers and as defined by the indicia that will be covered by stickers during voting, is committed and audited, such as described with reference to Figs 1-4, Fig 10 and Fig 16. To vote, the voter removes the sticker from the palette corresponding to the contest and
3* symbol for the candidate and places it over the symbols in the region indicated, as shown in Fig 18C and 18D. The resulting palette is the encrypted receipt; the resulting ballot is the form that is mailed in or presented to an official or placed in a box or scanned. It will be appreciated that a properly positioned sticker covers the codes for the various
39 candidates, thereby rendering the ballot (at least as ordinarily viewed) substantially encrypted. For polling place voting, but not shown for clarity, part of the system optionally includes at least a scanner and screen to shown the voter the results of the scan.
3 Generally it is desired to not give uniquely identifying numbers as parts of forms used by individuals where privacy is a concern. In the present system, it will be appreciated that the codes on the stickers (as in Fig 18A and 18C) are optionally independent of the ballot serial numbers (Fig 18B and 18D). Accordingly, if each is not unique but rather e used with some multiplicity and each is assigned by an independent entity, then each entity knows only limited restrictions on each user (and should probably not even be allowed to retain this in many applications) and yet the combination of the numbers has a substantial probability of being unique. Moreover, even in the case there is a
9 duplication of the combined numbers, it has a substantial probability of being detected if the voters chose different parts of the ballot and/or voted differently, and some after-the-fact accommodation for this case is also anticipated.
12 With reference to Figures 19, generally, all manner of substrate material are anticipated, such as paper, card stock, coated paper or stock, laminates more generally, and various other materials, whether formed from single sheets/coatings and/or fibers and/or yarns. Scratch-off coatings are traditionally formed from latex. Attachment of tamper-indicating is layers is by a wide variety of known techniques, including: adhering around the edge, self-adhesive materials, folded edges, and welded seems. Various tamper-indicating techniques, such as fugitive adhesives, residue layers, aging chemistry, frangible parts, and the like are known from various fields and are readily combined here.
18 Serial number or the like, preferably human and machine readable, preferably identify the ballot forms, however, these are optionally protected by various layers not described further for clarity. Information revealed to voters preferably comprises such things as digits, letters, code groups, pronounceable artificial words, various symbols, and the like.
21 Bullets or other identifiers for candidates are preferably from different colors and symbologies that are unrelated to the election issues. In some examples, candidate and/or question identifiers themselves are optionally used in place of the bullet symbols. Label layers optionally contain arrows associating candidate/questions on one end with mark positions on
24 the other.
The codes under the protective layers correspond to the symbol choice in other systems, such as those described with reference to Figs 1-4, Fig 10 and Fig 16. The mappings between voter choices and codes that is preferably destroyed a? by the voter during discovery of the codes can be regarded as defining symbols marking the choices, as would be understood by those of skill in the art, and those symbols would be committed similarly to the way the codes are. Voters can check that the unused ballot parts, such as additional sheets, were committed properly, by not voting them and then
3o checking the opened values of all the commits, that should be posted in this case. Similarly, voters can check that the codes they provide are in fact posted. Integrity is thus believed voter-verifiable, assuming the audit random values are truly unpredictable.
33 One example variation, as will be appreciated, comprises multiple contests on the same form. Another example is multiple forms, preferably attached, such that the voter can choose which form to vote and which to inspect and even check to ensure that it is well formed.
36
Turning now to Figure 19, a combination schematic diagram and plan view of an exemplary embodiment of a ballot form including printing above scratch-off layers in accordance with the teachings of the present invention will now 39 be described in detail sufficient for those of skill in the relevant art. For clarity, callout number is not used. Two candidates, "Tom Jones" and "John Dean" are used as example of what is being voted on. Each is labeled with a symbol, in the example "O" (reverse circle "A") for the first, "Tom Jones," and "©"(reverse circle "B") for the second, "John 3 Dean."
The voter is to mark the upper square in case they wish to vote for Dean and the lower to vote for Jones — on this particular example ballot instance with serial number 34824. But other ballots, each preferably with their own unique E serial number, preferably have substantially independently arrange symbols, such as being cyclically shifted or more generally permuted, as is known from other example voting system such as the so-called punchscan system. The indication to the voter of where to mark for which choice is preferably printed on top of the scratch-off layer shown with 9 round corners and encircled by a dotted line that is printed on the sheet, as indicated on Fig 19A. The example shown is where the indication is as bullet symbols and triangle pointers. Optional and/or alternate examples of arrows and/or color coding are anticipated as well.
12 Referring to Fig 19B-C, the indication of where to mark has been "scratched off and effectively removed and destroyed. In the first example Fig 19B shows the state of the ballot after the voter has selected and marked the upper square. This would correspond to a vote for Dean in the example as mentioned. The marking is shown in the preferred 15 embodiment of scratching-off the layer covering that square. Other marking means are anticipated. Fig 19C illustrates the case where Jones is voted for. It will be appreciated that in both voted forms the voter has substantially in parallel removed layers to protect ballot secrecy and to mark the vote. It will be appreciated that neither voted ballot reveals the i8 actual candidate voted for to the public.
Referring now to Figure 19D-E, a combination schematic diagram and plan view of an exemplary embodiment of a ballot form including printing below scratch-off layers in accordance with the teachings of the present invention will 2t now be described in detail sufficient for those of skill in the relevant art. For clarity, callout numbers are not used and the two candidates are again labeled with symbols O (reverse circle "A") for the first, "Tom Jones," and Θ (reverse circle "B") for the second, "John Dean." The unvoted ballot would appear substantially as in Fig 19A (or Fig 19F to be 24 described.) The two instances of the ballot shown include numbers printed under the scratch-off regions. The number "98253" under the larger region serves to authenticate that the scratch-off over that region was substantially removed, such as when that number is provided to those running the election; the number optionally servers as all or part of the 27 serial number of the ballot, not shown for clarity.
When the voter marks the upper choice, the number "347921" is revealed. This number would be transmitted to those running the election to indicate that the particular choice and at the same time provide some authentication. 0 Similarly, when the voter in effect marks the lower choice, the number "824014" is revealed. Tin's number would alternatively be transmitted to those running the election to indicate that the particular choice and at the same time provide some authentication. Countersign numbers are known in the art, such as disclosed by the present applicant, and 3 their use is anticipated as an option here. Again, it will be appreciated that neither voted ballot reveals the actual candidate voted for to the public.
In some examples scratch-off is not used for the mark squares but rather the printing is substantially visible and/or 6 hidden by the cover to be described with reference to Fig 19F.
Referring now to Figure 19F, a combination schematic diagram and plan view of an exemplary embodiment of a ballot form including cover layers over scratch-off layers in accordance with the teachings of the present invention will 9 now be described in detail sufficient for those of skill in the relevant art. For clarity, callout numbers again are not used. The embodiment shown here optionally is incorporated in the embodiments already described with reference to Fig 19 and Fig 19D-E above as mentioned. The extra large region with round corners indicates a cover over the scratch-off layer 3 shown in Fig 19A already described. Such cover is optionally as mentioned from folded stock, self-adhesive layers, and or otherwise adhered protective substrates. It preferably provides tamper indication, in that when a voter receives the ballot and the cover has been circumvented this is preferably substantially apparent to the voter. Once the voter removes e the cover, the ballot can be of the forms already described with reference to Fig 19A-C or Fig 19D-E. Someone without special information seeing the form before the voter votes it (while the cover is protecting the printing on the scratch-off from being learned) and after it has been voted, preferably is unable to learn how the voter voted.
9
With reference to Figures 20 through 22, generally, voters who are to be allowed to vote in a polling place are displayed in the sequence in which they are admitted, at least the most recent part of the display being visible to voters. 12 Certain sensitive information, such as private addresses and/or signatures on file, is allowed to be viewed by voters present. Voters or parties are allowed to photograph or otherwise record the images displayed, but these are filtered selectively to protect the sensitive information from being recorded. is In some example settings the poll book is on paper, in others it is automated, and in yet others the book for the particular polling place is in paper but automated information is available for other polling locations within some political subdivision.
18
Turning now to Figure 20, a combination block, flow, functional, schematic diagram, of an exemplary embodiment of a paper-based polling-place sign-in and forms in accordance with the teachings of the present invention
?ι will now be described in detail sufficient for those of skill in the relevant art. The process is shown as a loop repeated for each voter who appears at a polling place to cast a vote, as indicated by the repetition symbol of box 2001. A first step per voter, shown in box 2002, is to locate the voter name in the poll book. In some settings this is accomplished by the voter
24 alone, in other by the voter in collaboration with one or more election workers, and in other by the election workers substantially independently. In this example setting, the poll book is read by an automated device, such as a barcode reader or scanner. (In case of a provisional type form, the name of the voter in some settings is retrieved from an online
27 poll book; in other settings it is entered manually, such as by typing or writing.) Next box 2003 shows that an indication of where the voter name appeared in the poll book is printed out. (In the case of a form, the form number is preferably printed as a pointer.) Additionally, a sequence number for the signature slots and/or ballots in the box is also printed.
30 (Different sequence numbering for provisional ballots may be called for in some settings, particularly where the ballots are segregated.) As indicated in parallel box 2004, the poll book entry for the voter should be marked. A preferred way to accomplish this is by an automatic advancing serial number stamp, as are known in the art. The serial number assigned is
33 preferably printed as well. (In the case of a form, the sequence number or position of the entry on the paper record is preferably included on the form.)
At this point, as called out in box 2005, the voter is to make a handwritten signature, preferably adjacent to and on
36 the same paper as the poll book pointer is printed. Once the voter signature has been made, a signature image on file is then printed, as called for in box 2006. This sequencing is intended to give confidence that imposter voters don't simply attempt to copy a signature already printed. If the sequencing is by the paper rolling back into the printer, then this is
39 preferably also a convenient time to scan the signature provided, as well as whatever else is printed, for potential electronic backup and distribution. A further variation, not shown for clarity, is where a photograph of the voter appears instead of or preferably in addition to the signature. Naturally, whatever biometrics, identifiers, passwords, or facts related 3 to the voter can be included optionally as well.
At this point, a determination is optionally made as to whether the signature is valid and matches close enough, such comparison by humans and/or automated. If there is a match, then the voter is allowed to act and attempt to vote, as s indicated by the symbol of box 2008. If there is a sufficient discrepancy, then a procedure is preferably initiated to mark the entry printed and optionally that in the ballot book, accordingly. The process then repeats with box 2001 for the next voter.
9
Turning now to Figure 21, a combination block, functional, schematic diagram, plan, and pictorial view of an exemplary embodiment of a partly automated paper-based polling-place sign-in and forms in accordance with the 2 teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Three different related parts are shown in Fig 2 IA-C, respectively.
s Fig 21 A is an example poll book. It is preferably pre-printed and should include the names of all registered voters for a particular polling place. A barcode is shown printed next to each name, as an example to indicate the voter name and/or identity in a readily machine-readable format, although it is believed that text can as well be read by scanners. 8 Also printed is additional information, such as voter address, intended to help voters recognize their own entry and to allow other voters and/or observers to assess the validity of the poll book. Also shown is provision, as will be appreciated, for a mark to be made as already explained with respect to Fig 20, that links a used entry to the printed signature roster 1 form to be described with reference to Fig 2 IB. In the example, it will be seen that three voters have already been admitted from the page or portion of the poll book shown, and the serial numbers stamped are "020" for Jo-Ellen Jones of 783 Cedar Rd., "023" for John Jones of 142 Park Ln., and 025 being filled in for Joe Joe Jones of 2131 Elm St., as will be 4 explained further.
Referring to Fig 2 IB, a printed form and device are shown, where the so-called "reel-to-reel" approach to printing 7 is used as an example. Also indicated is a protective cover with an opening for voters to sign directly onto the paper that is preferably transparent to allow voters and other to view at least a part of the previous entries. In some examples, what can be photographed is differentiated from what can be seen, as already explained, such as by use of colored filters or 0 other techniques described elsewhere here. (A mechanical shaft protruding from a part of the device will be understood to indicate that operation of the log by an increment for a signature can optionally allow another mechanism to advance.
Examples include devices that give access to forms, voting machines, or voting machine access authorizations means.) J In the example, Joe Jones has signed his name as the 25 'th actual voter in the poll book voting at this polling place. The signature stored electronically for him, however, has not yet been printed. As already explained with reference to Fig 20, the signature on record is preferably printed or viewable only after the purported voter has made a signature. It , will be appreciated that no signature is of record for the person filling provisional ballot request form "P15," although one was on record for voter D.J. Conner, who was known to an automated poll book function as being registered to vote at precinct "number 34." 9 Referring to Fig 21C, an example provisional, contested, wrong-precinct, or other type of form is shown that is to be used in case a voter is not in the poll book correctly. A variety of information is required to be filled on the form, such 3 as by the legal setting and operations, an example of which is shown for concreteness. Also indicated is a machine- readable and preferably unique number/identifier for the form instance, "P 15," that is then scanned and shown on the log tape as explained. For this particular voter, no signature was on file. A mark, shown as the word "recorded" is stamped on β the form to indicate that the corresponding log entry has been created and that the voter has signed it.
Turning now to Figure 22, a combination block, functional, schematic diagram, plan, and pictorial view of an 9 exemplary embodiment of a manual paper-based polling-place sign-in and forms in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Three different related parts are shown in Fig 2 IA-C, much as with the partly automated version of Fig 21 already described. Compared to the 2 embodiment of Fig 21, the poll book Fig 22A is without barcodes and instead of marking by sequence number stamps during use, sticker are adhered to it that include the signature formed by the voter and a pre-printed sequence number.
s Referring to the log of Fig 22B, a substantially mechanical device is shown that allows a single sticker and number position to come under the opening in the transparent cover. The number written is the poll book position of the corresponding voter (or the form number). This number is preferably written by an election worker. The voter signs the 3 sticker through the opening and a carbonless image of the signature is transferred to the paper form that is shown with tractor feed. Carbonless stickers are believed known in the art, but in any case are readily formed as a carbonless paper that receives a pressure sensitive adhesive only around its periphery and that is adhered to the form for instance on an area i coated with a release material. The sticker is then removed and placed on the corresponding position on the poll book. (An output shaft symbol is included, for purposes such as those already described with reference to Fig 21B.)
4 Referring to the form of Fig 22C, a substantial difference with respect to the form of Fig 21C already described is the sticker from the log form that has been adhered instead of the "recorded" stamp marking.
7 With reference to Figures 23 through 28, generally, various threats can be categorized to allow better appreciation of the reasons for and differences between systems, though these are not necessarily considered to be exhaustive or mutually exclusive. An example threat is ballot box "stuffing," which is used here to refer to the addition of ballots that 0 have no corresponding entry in the poll books, thereby creating more ballots than poll-book entries but hiding which are the improper ballots. Another threat is "swapping," which is used here to refer to the interchanging of ballots that will be counted with other ballots, either totally fake ballots or ballots actually cast that would not otherwise be counted, such as 3 provisionals that are not positively adjudicated. Related is the threat of "swapping in" fake ballots for real ones, something that the systems described here are generally believed to substantially prevent. A further and subtler threat is ballot "spoofing," which has voters fooled into using false ballot forms with possibly other false supplies and/or poll 6 books, thereby leaving open the possibility to fill and substitute the genuine ballot forms.
Different systems can be used for different voters in the same election. For instance, some voters may vote at their home polling place and others may vote provisionally. The former need only a system that guarantees that each vote will be counted; the latter need a system that allows the votes to be divided after the election between those that will be counted and those that will not.
3 In some example variations, encrypted votes are also included. For example, write-ins are optionally not encrypted, but other votes are. In some examples, counterfoils, as well as optionally interfoils, have encrypted votes on them. It is anticipated that substantially any embodiment disclosed here can be augmented to include encrypted votes or B to substantially run along side a system of encrypted votes.
A voter uses more than one object to vote, in some examples, and the voter preferably chooses these objects. The way the choice is made is preferably so that the voter can ensure the randomness of the choice and that the choice made is 9 substantially hidden from the poll workers, such as by being taken or dropped from a rotatable hopper or by reaching into a box or bag. Tin's is believed to ensure that the linkings would not be known to those who have scanned the forms in advance. Envelopes and/or scratch-off coverings for example, optionally, are used to obscure the identifiers and/or
12 microstructure until they are to be revealed.
Redundancy developed by including linking to a poll book entry as well as a receipt is believed to have the advantage that both can be used separately, providing two avenues for audit. Optionally, also linking such poll book is entries and receipts allows a kind of voter audit of the link between receipt and poll book. For example, in addition to or instead of voter receipts, a "stub," that counterfoil remaining after a ballot is removed from a poll book or booklet of ballot forms, links physically to an interfoil or ballot form and optionally also to a corresponding receipt.
18 The systems described here are believed capable of ensuring that substantially the correct ballots are counted.
Modification of the votes on a ballot is preferably protected against. There are a number of techniques that are believed to increase the difficulty of surreptitiously changing something that has been written. One is to laminate a coverlay or apply
21 a coating or spattering. Indelible inks and punching of holes are examples of permanent marks as is the fused toner of a copier or a chemical reactive ink system that is "fixed" to prevent further development of images. The marks can be made difficult to duplicate, such as by using special punch patterns or special pens/pencils, even with morphing color patterns
24 and/or inks that reveal aging. A special no-vote mark, or simply overvoting by filling multiple locations, serves as protection for voters that un-voted contests will be voted for them by those gaining access to the ballots. Publishing scanned versions of the ballots as soon as possible gives less time for improper modifications.
27 In preferred embodiments it is desired that voters be unable to easily record identifiers for their ballots, since this can be used in various so-called "improper influence" schemes. One example of hiding means is by microstructure that requires special equipment to read, such as light, magnification, chemical development, electromagnetic readers, etc. A so further feature of a hiding system involves a substantially irreversible step that leaves evidence that the information was read. One example of irreversibility is by well known latex scratch-off protection. Such means have the further advantage that identifying numbers can be printed next to each microstructure for ease in verification, particularly for voters.
33 Indicia are optionally on one side of a linked interface or different indicia on different sides of such an interface including with cryptographic linking.
ae Five exemplary embodiments are described, the second having two variants. The first embodiment and first variant of the second embodiment are not believed to rely on an accounting of the forms used; the other variant and embodiments do. Such an accounting is preferably against published lists of form microstructures, and is optionally augmented by
39 dropping out marked blocks of objects, such as those labeled for a particular compromised precinct. It is believed that the systems relying on such accounting are more attractive at least in some embodiments, but that they are less robust in the face of slippage and failed accounting. Arguably, the integrity of an election with poll books and non-recallable votes, the 3 most common type of election system, requires a good deal of audit capability around the poll books and especially ballot forms and a similar requirement additionally around foils may be acceptable, particularly since if it is violated the degradation in integrity is revealed.
Turning now to Figure 23, a combination schematic and plan view of an exemplary embodiment of an interfoil and counterfoil arrangement in accordance with the teachings of the present invention will now be described in detail 9 sufficient for those of skill in the relevant art. An example system is as follows: Each form is comprised of a ballot and two foils. The counterfoil to the ballot, that is part of the form separably attached to the ballot, is called here the "interfoil." The interfoil itself has a counterfoil, which will serve as the voter receipt. Microstructure, such as paper fiber 2 pattern, fiber/planchettes in whatever matrix, and or sandblasted region, believed hard to duplicate is in regions on the forms, such that splitting the form at a parting line of the region lets each half be a kind of "signature" that is readily authenticated as matched with its counterpart. As depicted more particularly in Fig 23B, the interface between the s interfoil and receipt is also for convenience printed with a barcode, each bar of which extends across the parting/perforation line separating the interfoil and receipt. Each receipt also preferably bears the barcode information as human-readable indicia. s During voting, a voter, after filling his or her ballot, separates the three parts of the form. Voters keep their receipts but deposit both the ballot and interfoil into ballot boxes. The interfoils are successively tumbled and scanned three times as follows: (i) The first scan, after the first tumble, is of the receipt number part (and is optionally used to divide the 1 interfoils into batches, as described later, but a single batch is considered further here in this example for clarity), (ii) After the second tumble, signatures of, say, the middle section of the interfoil are scanned and posted, (iii) Then, after a third shuffle, the remaining interface, that between the ballot and interfoil, is published. (As will be appreciated, this 4 particular exemplary tumbling and scanning is believed to have the advantage that the scanning apparatus can be arranged to only be able to see each signature area during the corresponding scanning pass and the signatures can be published as they are read.) The ballot images are preferably themselves published paired with the corresponding signatures, though it 7 is believed integrity can be maintained without this step, through adequate accounting of the ballots.
As mentioned above related to tumbling and scanning (i), during that first pass the interfoils can be divided into separate batches and all subsequent processing carried out on each batch separately. As one example, three batches are 0 used: regular ballots, provisional ballots to be counted, and provisionals not to be counted. The rest of the processing described is carried out for each of the batches, three in this example, separately.
Once all the signatures are thus published, the "challenge choice" is made, such as by a lottery style draw followed 3 by cryptographic expansion of the draw result, so that one bit is associated with each interfoil signature. The interfoils are tumbled for the fourth time and parts of them are removed: if the bit for a particular interfoil is set, the receipt interface signature is cut away from that interfoil and destroyed; if the bit is reset, the ballot interface signature is cut away and 6 destroyed. What remains of the interfoils is posted and made available for physical audit in its final ordering. The ballot counterfoil interfaces are preferably printed with unique identifiers (preferably after voting or at least preferably not readily readable by voters) and these are associated with the counterfoils that corresponded to set bits of the challenge 9 choice. Any voter is preferably allowed to check that the receipt interface published matches that which they physically have, using the unique identifier to facilitate the lookup. Any ballot with a published interfoil interface signature should be physically auditable by interested parties.
Turning now to Figure 24, a combination schematic and plan view of an exemplary embodiment of a counterfoil overlay arrangement in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. An exemplary system is as follows: Both ballots and receipts have counterfoils, that of the receipt is numbered including by barcodes, preferably in some examples the bars of which as in the earlier example extend over the separation lines. Interfoils, in some embodiments taking the form of overlay stickers, are able to be affixed between the counterfoils. The interfoils can be attached to the ballot signature portion of the ballot, on one side, and the receipt/affidavit counterfoil, on the other side. The identifying numbers and unique microstructure detail are posted in advance for each interfoil object, such as the overlay interfoil shown. The microstructure regions of the counterfoils are at the parting lines, those of the interfoil preferably located away from where the counterfoil will affix; when the interfoil is affixed, the ballot and receipt parts can be separated, such as by die or perforation shown. As shown more particularly in Fig 24B, a "cover" layer on the interfoil part can protect the privacy of any microstructure and particularly any indicia that may optionally be printed for convenience in use.
A voter chooses a ballot and interfoil, preferably independently at random from a collection of each (preferably giving the voter confidence that which instances the voter uses are not known to others, such as those running the election). The receipt can, for example, be given to the voter, be a counterfoil itself from a poll book, and/or an affidavit form. There are two variants: (i) the voter in the first variant chooses which counterfoil the interfoil will be associated with; (ii) in the second variant, the decision is made at once for a set of ballots, each ballot getting a bit that results from the challenge choice. In the first variant, the voter is to attach the interfoil to one of the two counterfoils, destroy the other counterfoil, and put the attached foils in the ballot box. In the second variant, the voter puts into the box the fully assembled combination of the two counterfoils affixed to the interfoil. In the first variant, those running the election are, preferably prior to voting, to post images of the foils and put them on display or otherwise make them available for audit; in the second variant, a challenge choice determines which pairs are to survive and be made available for audit and as a consequence which counterfoils are to be severed from the interfoil and destroyed.
Audits in either variant should include the ballots voted, preferably both in a digital and physical form. Also, voters are preferably able to see that their receipts are among those posted, by number, and can even check the microstructure of their receipts against the posted image. The published records should be checked for consistency among themselves, such as lack of duplication of signatures. Auditors should check at least their own random sample of each of the available forms for consistency with the published record. In the first variant, those components that were unused but not excluded from the accounting (such as by a polling place or other subdivision designator indelibly included in the object in advance) are preferably all made available for audit. Consistency checking should include particularly that exactly only signatures from the accounted set of signatures are used. It is believed that in the case of a batch of provisional ballots, the choices made by voters as evidenced by the retained parts should be kept secret from those conducting the election until the partitioning of ballots into batches is committed to (otherwise interchanging ballots between batches might not be detected). Turning now to Figure 25, a combination schematic and plan view of an exemplary embodiment of a sticker interfoil arrangement in accordance with the teachings of the present invention will now be described in detail sufficient 3 for those of skill in the relevant art. An exemplary system is as follows: Stickers have unique numbering indicia and microstructure, published together preferably just prior to the election. Voters are to take two stickers from a tumbler hopper or the like, so that the voter has some confidence that the stickers are not known to correspond to each other or to B the voter, and apply one to the ballot and take the other home as a kind of receipt. The receipt sticker can in one variant be applied to a counterfoil from a poll book before being provided to the voter, thereby providing a linking to the poll book or at least the page. Voters can check the validity of the receipt against the published list and auditors can check the ballot 9 stickers against the same list. A cover layer not shown can provide protection for indicia, such as against voter or polling- place observer, until they are needed in processing.
It is believed that this embodiment bases its efficacy on an accounting of the stickers. If a known number of 12 stickers are lost (and they can neither be counterfeited nor moved between forms), then it is believed injecting fake ballots into the pool would be limited to one per lost sticker. As mentioned elsewhere, indelible markings on stickers that divide them into collections that are not too small as to pose a privacy problem, such as per precinct, can be used to exclude is collections that have fallen into the wrong hands.
A second variant of the third system, differs from the first variant already described in that instead of stickers each ballot has two counterfoils. As indicated in Fig 25B, a voter is to remove and keep one counterfoil as the receipt and leave is the other intact. Which one the voter takes should be clearly the free choice of the voter. Each counterfoil has a microstructure and human readable identifier, at least the identifier being covered by scratch-off latex or the like (all much as in Fig 23) but not shown here for clarity. Otherwise, the counterfoils act like the stickers of the first variant.
21
Turning now to Figure 26, a combination schematic and plan view of an exemplary embodiment of a split foil arrangement in accordance with the teachings of the present invention will now be described in detail sufficient for those
24 of skill in the relevant art. An exemplary system is as follows: This system handles provisional votes; it is well suited for combination with the above described third system, which cannot handle provisional votes. Voters are divided between the two systems, even though ballot forms from the same set are optionally used. The foils used are optionally self-
27 adhesive and will be called "stickers" or "splits," because they are preferably pre-perforated to allow separation along substantially a preferably pre-arranged line, such as a perforation, leaving each with its unique identity hidden until revealed. The pairs of unique microstructure signatures and any identifying indicia are published preferably in advance.
30 The ballots and matching affidavits each provisional voter receives are connected by a split sticker/foil, as shown in Fig 26A. Voters choose a second sticker from the same batch and are to take it home, preferably adhered to something, such as a poll-book or affidavit receipt, in order to prevent its re-use for another purpose, and optionally split between the
33 affidavit and the voter receipt. In one optional configuration, the affidavit itself receives one part of the second split and the other part is a counterfoil receipt for the voter. In another example, the voter can take an entire split affixed to a receipt backing, as shown more particularly in Fig 26B. ae After votes are cast, affidavits are adjudicated into "to be counted" and "not to be counted" classes, and each affidavit sticker split is preferably marked accordingly by an indelible means, such as a corresponding punch shape, on the sticker portion as well as preferably on the form itself. After an audit of the affidavits, the affidavit stickers are
39 detached and tumbled and their numbers are then revealed. The numbers on stickers affixed to the ballots should preferably also be revealed at the same time. The ballots corresponding to the numbers in the to-be-counted batch of affidavit stickers is then ready to be counted and the ballots in the other batch are not counted but preferably checked for match as well. (It is anticipated that a variation uses false ballots to mask the provisional ballots.)
It is believed that this scheme bases its efficacy at least on the stickers not being counterfeitable or transferable among forms. And further, the severing and tumbling of the stickers must be carefully observed for substitution of numbers that would have been pre-arranged to correspond to fake ballots; unless, there is an accounted limit on the number of stickers available, such as already described publishing of all the sticker numbers before the election. The number of stickers unaccounted for is the number of votes that can readily be cheated unless the cutting and tumbling is watched.
Another exemplary system is as follows: First an introductory description will be given. The system is a hybrid of encrypted vote and signature techniques. The signatures are used mainly for write-ins, but also allow clear attribution of cheating in the case of disputed receipts.
In use, voters fill at least two layers of ballot form. An upper layer shows a set of choices preferably in permuted ordering (and/or positions not included for clarity), comprising the encryption of the vote. A lower layer, onto which the marks made by the voter on the upper layer are transferred, such as by carbon/carbonless copy paper, can also be written on directly by voters. For write-in votes, the voter is to fill the oval for the choice labeled "write-in" on the upper layer and then write on the lower layer, in the corresponding space provided, to record the name that is to be written in. The lower layer is preferably divided, and physically dividable, into regions for each write-in vote (or optionally contest that allows multiple write-ins). And each such region preferably contains a signature. Associated with such a signature, preferably by published cryptographic commit and/or also by printing on such region, is an indication of which position the transferred mark must be in to indicate that the voter has voted the write-in ballot position on the upper layer and not instead voted a candidate position. If the transferred mark is in this position, it is counted; if it is not in that position, it is not counted.
A signature is also preferably included on at least one page other than the page with the write-in regions, including preferably at least one of a receipt layer and/or a layer retained centrally. All signatures used are preferably posted/committed in advance, to allow audit of the forms themselves. One example type of such audit anticipated in the co-pending applications is that voters themselves would be allowed to take more than one form and can then look that form up later to verify that it contains the proper indicia. Another example type of audit, believed made effective by the signatures having been posted, is posting and display of randomly selected ballots. One example way to select such ballots is before an election using whatever physical randomization or lottery-style random draw techniques. This has the advantage of detecting bad setups before an election would have to be re-run. Another example way to select forms is to allow voters to choose their own forms from a batch of forms and then use all the remaining forms in audit, which has the advantage of making good use of extra form capacity.
In a preferred example embodiment, the signatures are committed to in advance by posting each and the signatures are grouped into lexicographically ordered sets for each part of the form and each contest witln'n the write-in pat of the form. Posting encrypted signatures, preferably using the known types of encryption that ensure exactly one decryption, is believed to impede some cheating scenarios. Optionally, the commits for the lower-layer signatures are opened only once the write-in regions that have been filled are committed to, such as by being posted, again believed to impede some cheating scenarios. In some examples, encryptions of information about the signatures are used to tie two parts of the same form together. For example, a receipt page and a part that bears the encrypted votes can be linked by each having a 3 signature with a commit to the pair of signatures published. The association is thus hidden from those who merely see the forms, but can be determined and even revealed using the decryption keys. In other examples, encryptions of information about the signatures commit to which position is the write-in corresponding to each region, and thus allow a physical e write-in region that includes its signature to be sufficient to determine whether a name written on it should be counted.
Turning now to Fig 27, an example flowchart in accordance with the teachings of the present invention will be
9 described to illustrate the process steps as will be appreciated for one exemplary embodiment, the differences in steps for the other exemplary embodiments being believed substantially clear from the rest of this specification. Box 90501 begins with manufacture of the ballot articles with suitable microstructure regions. In one example, this can be ordinary paper, 2 preferably with a printed boundary indicating the microstructure region, other examples already having been described more generally. Then box 90502 is the manufacture of the interfoil objects along with the posting, such as on the Internet or in a recording medium, of the corresponding identifying signatures. This establishes a "universal set" of all valid s interfoils; further marking these partitions them, such as into batches per precinct, so that for instance supplies compromised for a precinct can be left out as mentioned.
Box 90503 is the top of the loop for the steps by each voter, although some voters may "bolt" and not finish all 8 steps. More than one voter, naturally, may be performing these operations at the same time. Box 90504 includes the standard signing in of voters by marking a poll book, such as a manual paper poll book. It also includes the voter preferably being able to choose the ballot form from a collection of substantially identical ballot forms, preferably in a 1 way that which form which voter gets is not known to those operating the polling station. Also, the voter preferably chooses the interfoil in like manner. Where an affidavit is used, for provisional voting, not shown for clarity, it would be provided and filled at this point. Then as shown by box 90505 the voter fills the ballot in the booth, as usual. Next the 4 voter as called for in box 90506 combines the interfoil with the ballot part and receipt/affidavit part by affixing them together and then separates the ballot and receipt parts from the new combined part. In some examples, the voter in the booth accomplishes this without assistance; in other examples, apparatus automates this step in the booth or outside of the 7 booth. Finally, the voter completes voting as shown in box 90507 by placing the ballot and interfoil configuration separately in one or in two ballot boxes.
After they are voted, at the close of polls or optionally periodically, the receipt or affidavit microstructure part is 0 scanned in step 90509. Optionally, this step is accomplished during manufacture of the receipts and/or affidavits, as indicated by the dotted line, and allows step 90509 to be conducted preferably even at the opening of polls. Step 90509 is the facility for voters to check that the signatures that they have received on the receipt or affidavit is one of those listed. 3 It will be appreciated that some posted signatures will not ever be matched by voters, at least because they were not issued; however, this is believed not to pose an issue to the integrity of the system.
Step 90510 represents two successive scans of the interfoil sets, each scan preceded by a tumbling of the interfoils. s In the example shown, first the interfoil signatures are read and then in the second scan the ballot part signatures are read. As mentioned elsewhere, it is believed advantageous that the scanning can post the outcome as it is scanned and that the physical apparatus can be observed as only having access to the part of the interfoil that it is supposed to for the particular 9 scan underway. Box 90511 is the creation of the challenge choice, preferably by a mutually trusted random process once the signatures are committed to. In some examples this can, as mentioned, include a lottery draw type of public random a number selection with an agreed method to expand the random number into a sufficiently large string of bits if needed.
Examples of such expansion functions are the so-called cryptographic "pseudo-random sequence generators," about which a substantial there is substantial scientific literature, combined with a complete ordering of the interfoil signatures, 6 such as a lexicographic ordering. As an illustrative variation, the interfoil sets are after being tumbled physically divided by bulk handling into two batches, one for each bit value.
Box 90512 then shows the final tumble and severing of the parts from the interfoil that are dictated by the 9 challenge choice. In particular, in a preferred example, the scanning apparatus is loaded with the choice information per receipt or affidavit number or signature. Then, when an interfoil set is scanned, that number is looked up and if the corresponding bit is set, that signature is physically severed from the interfoil and destroyed. If the bit is reset, then the 2 ballot signature part is severed and destroyed.
Finally, Box 90513 shows the opening for physical inspection in audit of the physical parts of the interfoils that remain after the previous step and/or the auditing of the information posted. 5
Turning to Figure 28, a plan and schematic view of an exemplary embodiment of a ballot with write-in in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the 8 relevant art. Three primary "pages" are shown on a form preferably on a single piece of paper, though separate pieces and secure binding between them is an option. The top page looks like a traditional optical scan ballot, but the candidate names are in a permuted order for this particular form instance, which happens to have serial number 6-453-493-Z. The 1 instructions with the "write-in" oval ballot position indicate that, in order to cast a write-in vote, the voter should fill the so-labeled oval and write the name on the inner page. The inner page in turn instructs the voter to print the name in the rectangle provided. It also warns the voter not to have any part of the form physically placed below the page while 4 writing the name on it, which is to prevent copies of the names from being made on other sheets.
A single sheet of paper is shown with all three pages, three up, side-by-side, with perforation lines dividing the pages for ease in separation by the voter. The printing is on both sides; the backside of pages with printing is shown for 7 clarity, as will be appreciated, grayed out as a dot pattern. The side shown facing up in Fig 28A is uncoated; the opposite side, that shown facing up in Fig 28B, is preferably coated with a well-known carbonless copy coating known as "cs" or "self-contained." With such coatings, writing pressure makes visible marks by rapturing microcapsules containing die 0 precursors that are developed by other chemicals in the same coating layer(s). With the "G" as opposed to "Z" folding pattern, as shown in Fig 28C, the inner page and bottom page are facing each other and below the top page. Thus, filling an oval on the top page using sufficient pressure applied to a writing instrument, for instance, should cause visible marks 3 over one of the dots on the inner page and over a corresponding dot on the bottom page. It is believed that if the writing pressure is sufficient for a mark on the inner page to be developed, it is also sufficient for substantially as dark a mark to be developed on the bottom page, since no paper separates the two facing cs coatings. Also, as will be appreciated, the 6 marks made on the top page also transfer to the underside of the top page, mirrored, because of the cs coating. This allows the backside of the top page to reveal the encrypted votes but not the plaintext votes.
Microstructure signature regions are shown on each of the three pages, all on the same side for convenience. 9 Encodings of the microstructure for each are, as mentioned, posted before the election, each in a separate set: one set for all the front pages, one set for all the inner pages, and one set for all the bottom pages. If there were more contests with write-in positions, there would be corresponding write-in regions, and preferably each would have a signature and be 3 posted in a corresponding set. Additionally, associated with each signature for a write-in region is an encryption of (or
"commitment to") the ballot position that must be marked in order for that write-in to be counted.
A description of the operation of an exemplary embodiment will now be presented. First the forms are made and 6 printed and the signatures are scanned. The signatures for a page are then preferably posted, preferably in lexicographic order (optionally encrypted as mentioned already). The signatures on the inner page are for convenience posted along with the corresponding serial numbers. A cryptographic commitment, preferably tied to the signature(s) on the inner page, 9 is preferably posted as to which oval would need to be filled for the (corresponding) write-in to be counted. But preferably nobody knows which serial numbers the signatures, apart from those on the bottom page, correspond to.
Another commit is preferably published locking-in but hiding to which serial number the signature on the backside of the 2 top page corresponds. The encryption keys are maintained by at least one trusted entity.
Voters receive a form, say, at the polling place. In the booth, they then fill the oval corresponding to their vote using a preferably special pen or pencil. To vote write-in, they fill the third oval from the top in the example shown, the 5 one that is labeled "write-in" where the candidate name would otherwise be; then they open the form up and write the name of the candidate they prefer in the box on the inner page. When finished filling the form, the voter separates the three pages along the perforation lines. The bottom page is kept by the voter as the receipt, as indicated by the text on it. 8 The top page is placed in a ballot box, as is the inner page. The top page is optionally counted manually, as is well known, such as for a preliminary total, fallback, or double check. A digital capture of the vote, apart from write-ins, is accomplished by, for instance, scanning the top page or its mirrored image on its backside. Scanning the backside of the 1 top page is preferable, as it gives the encrypted vote without exposing the cleartext vote. (Another option is to scan the image on the inner page and preferably use a separate signature to link it to a serial number as has been described for the backside of the top page.) Processing of encrypted votes, with the voter being in possession of the receipt containing the 4 encrypted votes, is known in co-pending provisionals/applications by the present applicant hereby included in their entirety by reference.
The write-ins on the inner page are preferably scanned along with reading the adjacent signatures. The decryption ~ related to the signature reveals the pre-determined write-in position. If this pre-determined position matches that of a unique transferred mark, then and only then is the write-in counted. An image of the write-in region is posted and the physical piece of paper, preferably cut away from any other write-in regions, is also made available for inspection. The 0 decryption of votes, mentioned above, is believed to reveal the total number of write-in ovals properly filled for each contest. Only this number of write-in regions is believed strictly needed to be displayed/posted, in systems where all contests are voted or marked as un-voted. But, since guarantees of indelible marking on all ballots may not be adequate in 3 some implementations, it is preferred that in such implementations all regions be displayed for verification.
An affidavit is currently required in some election settings, such as some provisional and absentee voting. A separate affidavit form bearing the receipt serial number is believed adequate. It is anticipated, however, that voters be 6 allowed to retain copies of such affidavits, such as carbon/carbonless copies, optionally bearing some authenticator(s).
Turning now to Figure 29, a detailed flow and block diagram related to an exemplary embodiment of a ballot with 9 write-in in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Structure related to this embodiment is to be described with reference to Fig 28, and this should be read in conjunction as will be appreciated. Box 90701 is the production of the ballot forms. One aspect of this is the 3 physical production of the paper, perforations, and folding. Another is the scanning of the signatures. A further aspect is the printing of the receipt numbers. The printing of the encrypted contest descriptions is preferably possible at a later time, such as with so-called demand printing. a Box 90702 includes the posting of the signatures. As already mentioned, these are posted in batches. There is a separate batch for each the top page and the bottom page. There is also one batch for each write-in region, of which only one is shown in the example for clarity. Another posting included is the cryptographic commitment to the write-in 9 position valid for each write in region. A further posting, already mentioned, is the commit to the pairing of the ballot numbers and the top page signatures.
Box 90703 is the top of the loop for the voter process example for clarity in a polling place and provides the steps 2 for a voter experience, many of which may occur in potentially overlapping times during the voting period. Box 90704 is the marking of the poll book and the issuing to the voter of the ballot and, in the case of provisional (or vote-anywhere) voting, an affidavit. Box 90705 then shows the voter marking the ballot for contests that either do not have write-in or for s which the voter does not vote write-in. Box 90706 is the voter filling any write-in names on the inner page, after having marked the corresponding write-in position on the top page in box 90705. Preferably before leaving the booth, the voter separates the pages along the perforation, as indicated in box 90707. Finally, box 90708 shows the voter keeping the 8 receipt and the placing of the other two pages into separate ballot boxes or a combined box. It is anticipated, however not shown for clarity, that the voter optionally displays the encrypted vote backside of the top page to a poll worker or to a digital camera device for instance, in order to provide a check that it was filled properly and/or to record the encrypted 1 vote.
Returning to the central processing in box 90709, first the scanning of the encrypted votes is shown, although this optionally is a residue from the camera of box 90708. Also the signature related to the page from which the encrypted 4 votes are scanned is preferably read at this time. Then, also shown, is the posting of the encrypted votes along with the receipt numbers. In the example, this number is determined by decryption of the commit to the pairings of signatures and numbers mentioned. Box 90710 shows voters then being able to check, preferably online, that the encrypted votes on the 7 voter receipts do in fact match those posted under the matching receipt number.
Box 90711 shows the process of public decryption of the encrypted votes, as is known. Box 90712 is the creation and posting of the unpredictable challenge choice used in the audit of the encrypted votes. And box 90713 is the scanning o of write-in regions and the marks copied on the regions from the ballot marking. Also, included is the capture of the corresponding signatures. The write-in regions are preferably physically separated and independently re-ordered, so as to reveal less information. Also, it is determined which write-in regions are to be counted. The actual OCR and/or human 3 recognition of the names to be counted is optionally preferably done at this time, so that what is posted does not include handwriting or other additional information.
Box 90714, finally, is the publishing and displaying of the various keys and signatures for audit. Included among 6 the keys are those used in known manner for the decryption of the encrypted votes. Also revealed are the keys establishing the correspondence between the receipt numbers and the backside of the top page. Included among the parts to display are preferably all the write-in regions and their attached signatures. It is anticipated that in case of dispute over 9 the published image of particular receipts, the backside of the top page would be shown along with its signature. Turning now to Figure 30, a detailed plan and schematic diagram of an exemplary punchscan ballot with write-in 3 in accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. Shown in Fig 30A is a modified version of the un-voted ballots already described with reference to Fig IA- B. In particular a "write-in" option has replaced one of the candidate choices, as will be appreciate, and a microstructure s signature region with associated apparently random identifying indicia has been added, all below a perforation line and on both layers. Accordingly, a corresponding example write-in voted version of each layer is shown in Fig 30B3 where the write-in position has been marked by the voter, much as explained with reference to Fig IC-D, but the name of the 9 desired write-in candidate is then also written in by the voter on the line provided.
In operation, provision is preferably made during the initial commitment phase already described, such as that with reference to Fig 10-11, for a second set of transformations that map to the original results table entries to the '2 microstructure signatures identified by the write-in signature identifier numbers shown. (Thus, a kind mirrored copy of the middle transformation table and commits is formed around the line through the results table)During voting at a polling place, for example, the write-in part from the layer that would be destroyed is preferably separated and placed in a kind of 1 s ballot box; with mail-in or manual voting, the write-in is of course on the part mailed or placed in the box and optionally is not separated. When a results table entry shows a vote for a write-in (as shown by the marking of the middle position, "B" in the present figure), the second set of transformations is used to show that it does map to one of the posted set of is write-in signature identifier numbers that has been written in (without revealing which one). The corresponding commits are preferably opened for checking during audit of the writ-in counterfoils. So that voters can check that the microstructure signature on the write-in part/counterfoil of their receipt does match that committed to, all the commits for ?! microstructure of the receipt parts are also opened.
In some examples, not shown for clarity, a limited number of write-in lines are available to the voter and the voter is to identify both the contest and the desired candidate on whatever write-in line the voter chooses. Rows in the 24 intermediate table of the transformation in this case preferably would appear to allow each result entry to map to the corresponding write-in (respecting any partitioning of results entries as mentioned elsewhere). In other examples, such as with asymmetric ballot forms, like those to be described with reference to Fig 31, it is believed that the transformation is r/ preferably not used.
Thus, it is believed that those running the election have established substantial confidence that the pieces of paper, identified by posted microstructure and in their possession, were in fact parts of the ballots for which voters voted write- -JO in. As will be appreciated, if a voter writes a name but actually votes for another candidate, then the corresponding counterfoil can be discarded by those running the election. Improper influence can be further thwarted, for example, by separately treating write-in's that have a multiplicity below a threshold and/or only opening a fraction of the write-in's, 33 chosen at random by audit, to inspection, optionally for those below threshold.
Finally now turning to Figure 31, a detailed plan and block diagram of an exemplary ballot with write-in in 3β accordance with the teachings of the present invention will now be described in detail sufficient for those of skill in the relevant art. The ballot form is substantially similar to that described with reference to Fig 17, although only the first contest is shown and the write-in choice is included in it between the first and last candidate in alphabetical order, as with 39 Fig 30, for clarity. Additionally, it differs in that the write-in space and identified microstructure region are added, much as in Fig 30, with the parts arranged over the four surfaces as shown. While 3 IA shows the un-voted top, 3 IB shows the un-voted bottom, both two up. Similarly, 31C is an example write-in voted front and back view of the left sheet from a 3 IA-B, while 3 ID is an example write-in voted front and back view of the right sheet from 3 IA-B. As will be appreciated, the writing in is to be done by voters on the sheet that is turned in, and thus is done on the back side of it. This optional feature is believed convenient as the voter is less tempted to leave a carbon image of the write-in on the e receipt, and with some carbonless techniques described earlier may not be able to create such an image. The receipt sheet and online images after voting are not shown, as they are substantially as in Fig 17.
In operation, the system is much as already described with reference to Fig 30. Voters, however, always return the 9 top sheet they mark and any write-in's are on its reverse side. Separate ballot boxes or the like are appropriate for these, and scanning of the write-in parts is preferably done after they are batched or disassociated with provisional or mail in affidavit identifiers for improved secrecy.
12 An optional variation, as would be appreciated by those of skill in the art, and not shown here for clarity, omits contest on the ballot form and uses it simply for including in other voting systems the capability to handle write-in votes. For example, with a so-called DRE system in which a receipt is issued, write-in can be accomplished using the techniques is disclosed here. The receipt has a serial number and one or more counterfoils for write-in as disclosed here. Extra foils would preferably be provided to allow voters to audit the microstructure signatures.
Another example use of the present techniques relates to so-called "spoiling" of ballots. When a voter wishes a
18 particular ballot that has not been cast, to never be cast, the ballot is preferably prevented from being tallied and this process is referred to as spoiling. It is believed that a spoiling procedure should preferably not be possible for poll- workers to carry out on a ballot previously thought to have been cast by a voter. It is also believed that a spoiling
.'i procedure should not be able to be un-done or revoked without the voter being able to detect it and give evidence to the contrary. Accordingly, as an example in the system described with reference to Fig 1-3, both the voter and the poll- workers should each obtain a part of each part of the ballot form. Two copies of the serial number are preferably included
24 on each layer for this purpose (which offers some robustness in case of slight damage to a form). The voter gets a serial number from each layer and the poll- workers keep a serial number from each layer. The rest of the ballot is preferably shredded. Similar perpendicular partitioning is applicable to other two-part ballots. With one-part ballots, the ballot itself
27 can be split with each part preferably bearing a serial number. Microstructure signatures help authenticate the parts of a ballot, and are preferably included at least on each piece of paper kept as a record/receipt of spoiling.
30 All manner of variations, modifications, equivalents, substitutions, simplifications, extensions, and so forth can readily be conceived relative to the present inventions by those of ordinary skill in the art. Many examples have already been given above with reference to various aspects of the inventive concepts disclosed.
23 While these descriptions of the present invention have been given as examples, it will be appreciated by those of ordinary skill in the art that various modifications, alternate configurations and equivalents may be employed without departing from the spirit and scope of the present invention.
<6 * * * * *

Claims

What is claimed is:
1. In a paper ballot system, a ballot printed independently from the voter supplied vote information and the ballot 3 comprised of at least two parts and the voter being able to choose at least any one of the at least two parts to retain as an encrypted vote receipt.
2. The system of claim 1, wherein the ballot includes providing a voter with an indication of which position to
6 mark corresponding to a voter choice by allowing a voter to substantially match indicia labeling choices on at least a first of said parts with indicia on at least a second of said parts.
3. The system of claim 2, wherein said indicia on at least one part is substantially visible through at least one
9 provision in at least a second part and the second part substantially above the first part when in use by voters and the combination of the two layers cooperating so that a voter can mark the second part and substantially at the same time the voter can mark the first part through the provision in the second part. 12 4. The system of claim 1 , wherein the ballot includes determining which mark positions correspond to which vote information in production of substantially each of said ballots based on a choice that is substantially unpredictable to the public in advance of the election and that is committed to in advance of the election. is
5. The system of claim 4, wherein indicia on said ballot parts retained by a voter relate to commitments to values formed before the election that can be opened for inspection.
6. The system of claim 5, wherein the ballot system includes marks made by voters, the marks corresponding to 18 coded votes that can be made public.
7. The system of claim 6, wherein a tally is established that corresponds to published coded votes by disclosure of information substantially committed to but not publicly known before the voting.
?\ 8. The system of claim 7, wherein at a polling location either one of the at least two said parts is adapted to be freely selectable by a voter as the part to be destroyed and the other of said two parts is adapted to be retained by said voter as a receipt and information on the receipt is recorded at the polling location.
24 9. The system of claim 7, wherein the ballot allows a voter to be free to select either one of the at least two parts to provide to those running the election and to keep the other part as said receipt.
10. In a paper ballot system, including providing a voter with the option to retain either of at least two ballot parts, 27 each one of the at least two ballot parts substantially comprising a ballot layer to receive cleartext votes and a receipt layer to receive encrypted votes.
11. The system of claim 10, wherein the ballot layer includes mark positions determined based on a choice so substantially unpredictable to the public and the choice committed to in advance of the election.
12. The system of claim 11, wherein the commitment substantially defining indicia on said receipt layer is adapted to be opened to be made public. as
13. The system of claim 12, wherein a tally is established that corresponds to the published coded votes by disclosure of information substantially committed to but not publicly known before the voting.
14. The system of claim 10, further comprising a least a first coating on at least a surface of at least one sheet of 36 paper to transfer marks from a ballot layer to a receipt layer.
15. The system of claim 14, further comprising cooperating coatings on each of two facing surfaces of the ballot layer and receipt layer, the combination to be marked by a voter, and scanning at least a first of the facing copy surfaces to recover the marks and ensure that substantially the second of the facing copy surfaces bears substantially matching marks.
3 16. The system of claim 15, wherein the ballot is adapted for scanning both the surface marked by the voter and the other surface of the same sheet of paper to ensure that the receipt should match the marks on the form.
17. The system of claim 15, wherein chemistry included in said coatings reveals that marks transferred between two e layers are substantially distinguishable from marks made having only one layer.
18. In a voting method with a cleartext vote choice determined by indicia printed at least in advance of the voter supplying votes and that indicia substantially destroyed by voters in order for voters to reveal coded votes corresponding
9 to the voter choice, voters being supplied substantially more than one part per choice and the opening of previously committed values to substantiate that at least some of the parts supplied have corresponding indicia.
19. The method of claim 18, further comprising receiving the coded votes transmitted by the voter and making those 2 votes public.
20. The method of claim 19, further comprising establishing that a published tally corresponds to the published coded votes by disclosure of information substantially committed to but not publicly known before the voting. 5
8
EP06803339A 2005-09-12 2006-09-11 Ballot integrity systems Withdrawn EP1979852A4 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US71621505P 2005-09-12 2005-09-12
US74000705P 2005-11-28 2005-11-28
US74013105P 2005-11-28 2005-11-28
PCT/US2006/035325 WO2007033084A2 (en) 2005-09-12 2006-09-11 Ballot integrity systems

Publications (2)

Publication Number Publication Date
EP1979852A2 true EP1979852A2 (en) 2008-10-15
EP1979852A4 EP1979852A4 (en) 2010-10-27

Family

ID=37865489

Family Applications (1)

Application Number Title Priority Date Filing Date
EP06803339A Withdrawn EP1979852A4 (en) 2005-09-12 2006-09-11 Ballot integrity systems

Country Status (2)

Country Link
EP (1) EP1979852A4 (en)
WO (1) WO2007033084A2 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
IT1391501B1 (en) * 2008-09-03 2011-12-30 Franchini ANTI-CANCELLATION AND ANTI-BROGLIO ELECTORAL CARD

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3906192A (en) * 1974-02-15 1975-09-16 Humberto Jose De Carval Cidade Card used on electronic computer for recording and collection of data intended for betting contests and similar contests
DE4118339A1 (en) * 1991-06-04 1992-07-23 Wilhelm Staeudle Gmbh & Co Lottery coupon - has coatings of microcapsule and reactive ink components to transfer entries to customer's copy without carbon paper
US6457643B1 (en) * 1997-12-22 2002-10-01 Ian Way Voting system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4717177A (en) * 1984-05-08 1988-01-05 R. F. Shoup Corporation Absentee balloting system
US4807908A (en) * 1987-03-02 1989-02-28 Business Records Corporation Ballot for use in automatic tallying apparatus
AU2578400A (en) * 1999-02-13 2000-08-29 Kyu Jin Park Method for increasing ballot turnout and ballot paper and public opinion poll paper employed for the method
US6779727B2 (en) * 2001-05-22 2004-08-24 Vanguard Identification Systems, Inc. Voter ballots and authentication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3906192A (en) * 1974-02-15 1975-09-16 Humberto Jose De Carval Cidade Card used on electronic computer for recording and collection of data intended for betting contests and similar contests
DE4118339A1 (en) * 1991-06-04 1992-07-23 Wilhelm Staeudle Gmbh & Co Lottery coupon - has coatings of microcapsule and reactive ink components to transfer entries to customer's copy without carbon paper
US6457643B1 (en) * 1997-12-22 2002-10-01 Ian Way Voting system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of WO2007033084A2 *

Also Published As

Publication number Publication date
WO2007033084A2 (en) 2007-03-22
WO2007033084A3 (en) 2007-11-29
EP1979852A4 (en) 2010-10-27

Similar Documents

Publication Publication Date Title
US7516891B2 (en) Ballot integrity systems
US7210617B2 (en) Secret-ballot systems with voter-verifiable integrity
US20010034640A1 (en) Physical and digital secret ballot systems
EP1046139B1 (en) Voting system
US8123114B2 (en) Hidden-code voting and marking systems
Chaum et al. Scantegrity II: End-to-end verifiability by voters of optical scan elections through confirmation codes
US20020152379A1 (en) Method, arrangement and device for voting
US8162215B2 (en) Scan-integrity election systems
WO2004061599A3 (en) Method and system for validating votes
US8381977B2 (en) Voting system and ballot paper
US7789306B2 (en) Voting method
Benaloh STROBE-voting: send two, receive one ballot encoding
EP1979852A2 (en) Ballot integrity systems
Blanchard et al. Origami voting: a non-cryptographic approach to transparent ballot verification
US20200027296A1 (en) Voter-verified digital voting audit trail
Prosser et al. E-voting: Usability and acceptance of two-stage voting procedures
RU2753392C1 (en) Method for secret ballot voting and electronic apparatus for implementation thereof
Essex Punchscan: designing an independent verification mechanism for elections.
Demirel et al. Readiness of various evoting systems for complex elections
Carback III Engineering practical end-to-end verifiable voting systems
RU2178203C1 (en) Method for secret ballot using ballot- papers
Storer et al. The StickyBallot Voting Scheme
RU2153192C1 (en) Method for secret ballot elections using voting papers
Al-Shammari et al. A synthesis of vote verification methods in electronic voting systems
Carback et al. Audiotegrity Voting Protocol

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20080331

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR

A4 Supplementary search report drawn up and despatched

Effective date: 20100929

RIC1 Information provided on ipc code assigned before grant

Ipc: G07C 13/00 20060101AFI20100923BHEP

Ipc: G09B 7/06 20060101ALI20100923BHEP

Ipc: G09B 5/00 20060101ALI20100923BHEP

Ipc: B42D 15/00 20060101ALI20100923BHEP

Ipc: G06C 23/00 20060101ALI20100923BHEP

Ipc: G06K 7/10 20060101ALI20100923BHEP

Ipc: B42D 5/02 20060101ALI20100923BHEP

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20130123

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20150401