Single Layer Optical-Scan Voting with Fully Distributed Trust

  • Aleksander Essex
  • Christian Henrich
  • Urs Hengartner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7187)


We present a new approach for cryptographic end-to-end verifiable optical-scan voting. Ours is the first that does not rely on a single point of trust to protect ballot secrecy while simultaneously offering a conventional single layer ballot form and unencrypted paper trail. We present two systems following this approach. The first system uses ballots with randomized confirmation codes and a physical in-person dispute resolution procedure. The second system improves upon the first by offering an informational dispute resolution procedure and a public paper audit trail through the use of self-blanking invisible ink confirmation codes. We then present a security analysis of the improved system.


Dispute Resolution Correctness Proof Poll Worker Visual Cryptography Election Commission 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adida, B., Rivest, R.L.: Scratch & vote: self-contained paper-based cryptographic voting. In: ACM WPES, pp. 29–40 (2006)Google Scholar
  2. 2.
    Benaloh, J.: Administrative and public verifiability: Can we have both? In: EVT (2008)Google Scholar
  3. 3.
    Benaloh, J.: Ballot casting assurance via voter-initiated poll station auditing. In: EVT (2007)Google Scholar
  4. 4.
    Benaloh (né Cohen), J.D., Fisher, M.J.: A robust and verifiable cryptographically secure election scheme. In: SFCS (1985)Google Scholar
  5. 5.
    Carback, R.T., Chaum, D., Clark, J., Conway, J., Essex, A., Hernson, P.S., Mayberry, T., Popoveniuc, S., Rivest, R.L., Shen, E., Sherman, A.T., Vora, P.L.: Scantegrity II election at takoma park. In: USENIX Security Symposium (2010)Google Scholar
  6. 6.
    Chaum, D.: Secret-ballot receipts: True voter-verifiable elections. IEEE Security and Privacy 2(1), 38–47 (2004)CrossRefGoogle Scholar
  7. 7.
    Chaum, D., Carback, R., Clark, J., Essex, A., Popoveniuc, S., Rivest, R.L., Ryan, P.Y.A., Shen, E., Sherman, A.T.: Scantegrity II: end-to-end verifiability for optical scan election systems using invisible ink confirmation codes. In: EVT (2008)Google Scholar
  8. 8.
    Chaum, D., Carback, R., Clark, J., Essex, A., Popoveniuc, S., Rivest, R.L., Ryan, P.Y.A., Shen, E., Sherman, A.T., Vora, P.L.: Scantegrity ii: end-to-end verifiability by voters of optical scan elections through confirmation codes. IEEE Transactions on Information Forensics and Security 4(4), 611–627 (2009)CrossRefGoogle Scholar
  9. 9.
    Chaum, D., Essex, A., Carback, R., Clark, J., Popoveniuc, S., Sherman, A.T., Vora, P.: Scantegrity: End-to-end voter verifiable optical-scan voting. IEEE Security and Privacy 6(3), 40–46 (2008)CrossRefGoogle Scholar
  10. 10.
    Chaum, D., Ryan, P.Y.A., Schneider, S.: A Practical Voter-Verifiable Election Scheme. In: De Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 118–139. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Clark, J., Hengartner, U.: On the use of financial data as a random beacon. In: EVT/WOTE (2010)Google Scholar
  12. 12.
    Clarkson, W., Weyrich, T., Finkelstein, A., Heninger, N., Alex Halderman, J., Felten, E.W.: Fingerprinting blank paper using commodity scanners. In: IEEE Symposium on Security and Privacy (2009)Google Scholar
  13. 13.
    Cramer, R., Gennaro, R., Schoenmakers, B.: A Secure and Optimally Efficient Multi-authority Election Scheme. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 103–118. Springer, Heidelberg (1997)Google Scholar
  14. 14.
    Essex, A., Clark, J., Carback, R.T., Popoveniuc, S.: Punchscan in practice: an e2e election case study. In: WOTE (2007)Google Scholar
  15. 15.
    Essex, A., Clark, J., Hengartner, U., Adams, C.: How to print a secret. In: HotSec (2009)Google Scholar
  16. 16.
    Essex, A., Clark, J., Hengartner, U., Adams, C.: Eperio: Mitigating technical complexity in cryptographic election verification. In: EVT/WOTE (2010)Google Scholar
  17. 17.
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  18. 18.
    Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-Time Programs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39–56. Springer, Heidelberg (2008)Google Scholar
  19. 19.
    Carback III, R.T., Popoveniuc, S., Sherman, A.T., Chaum, D.: Punchscan with independent ballot sheets: Simplifying ballot printing and distribution with independently selected ballot halves. In: WOTE (2007)Google Scholar
  20. 20.
    Jarrous, A., Pinkas, B.: Secure Hamming Distance Based Computation and Its Applications. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 107–124. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Kelsey, J., Regenscheid, A., Moran, T., Chaum, D.: Attacking Paper-Based E2E Voting Systems. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 370–387. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  22. 22.
    Kubiak, P.: A modification of punchscan: Trust distribution. In: FEE (2006)Google Scholar
  23. 23.
    Küsters, R., Truderung, T., Vogt, A.: Improving and Simplifying a Variant of Prêt à Voter. In: Ryan, P.Y.A., Schoenmakers, B. (eds.) VOTE-ID 2009. LNCS, vol. 5767, pp. 37–53. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. 24.
    Kutyłowski, M., Zagórski, F.: Scratch, Click & Vote: E2E Voting over the Internet. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 343–356. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  25. 25.
    Lundin, D., Treharne, H., Ryan, P.Y.A., Schneider, S., Heather, J., Xia, Z.: Tear and destroy: Chain voting and destruction problems shared by prèt â voter and punchscan and a solution using visual encryption. In: FEE (2006)Google Scholar
  26. 26.
    Lundin, D., Ryan, P.Y.A.: Human Readable Paper Verification of Prêt à Voter. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 379–395. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  27. 27.
    Moran, T., Naor, M.: Basing Cryptographic Protocols on Tamper-Evident Seals. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 285–297. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Moran, T., Naor, M.: Split-ballot voting: Everlasting privacy with distributed trust. In: ACM CCS (2007)Google Scholar
  29. 29.
    Naor, M., Shamir, A.: Visual Cryptography. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 1–12. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  30. 30.
    Andrew Neff, C.: Practical high certainty intent verification for encrypted votes. Technical report, VoteHere Whitepaper (2004)Google Scholar
  31. 31.
    Park, C., Itoh, K., Kurosawa, K.: Efficient Anonymous Channel and All/Nothing Election Scheme. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 248–259. Springer, Heidelberg (1994)Google Scholar
  32. 32.
    Paul, N., Evans, D., Rubin, A.D., Wallach, D.S.: Authentication for remote voting. In: HCISS (2003)Google Scholar
  33. 33.
    Pedersen, T.P.: A Threshold Cryptosystem without a Trusted Party. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 522–526. Springer, Heidelberg (1991)Google Scholar
  34. 34.
    Popoveniuc, S., Carback, R.: Clearvote: An end-to-end voting system that distributes privacy between printers. In: WPES (2010)Google Scholar
  35. 35.
    Popoveniuc, S., Hosp, B.: An introduction to punchscan. In: WOTE (2006)Google Scholar
  36. 36.
    Rabin, M.: Transaction protection by beacons. Journal of Computer and System Sciences 27(2) (1983)Google Scholar
  37. 37.
    Ryan, P.Y.A., Schneider, S.A.: Prêt à Voter with Re-encryption Mixes. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 313–326. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  38. 38.
    Ryan, P.A., Teague, V.: Ballot permutations in prèt â voter. In: EVT/WOTE (2009)Google Scholar
  39. 39.
    Ryan, P.A., Teague, V.: Pretty good democracy. In: Workshop on Security Protocols (2009)Google Scholar
  40. 40.
    Sandler, D.R., Derr, K., Wallach, D.S.: VoteBox: a tamper-evident, verifiable electronic voting system. In: USENIX Security Symposium (2008)Google Scholar
  41. 41.
    Sherman, A.T., Carback, R.T., Chaum, D., Clark, J., Essex, A., Hernson, P.S., Mayberry, T., Popoveniuc, S., Rivest, R.L., Shen, E., Sinha, B., Vora, P.L.: Scantegrity mock election at takoma park. In: EVOTE (2010)Google Scholar
  42. 42.
    Xia, Z., Schneider, S.A., Heather, J.: Analysis, improvement and simplification of prèt â voter with paillier encryption. In: EVT (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Aleksander Essex
    • 1
  • Christian Henrich
    • 2
  • Urs Hengartner
    • 1
  1. 1.Cheriton School of Computer ScienceUniversity of WaterlooWaterlooCanada
  2. 2.Institut für Kryptographie and Sicherheit/EISSKahrlsruhe Institute of TechnologyKarlsruheGermany

Personalised recommendations