Punchscan with Independent Ballot Sheets: Simplifying Ballot Printing and Distribution with Independently Selected Ballot Halves

R. Carback, S. Popoveniuc, A. T. Sherman, D. Chaum

Proceedings of the 2007 IAVoSS Workshop on Trustworthy Elections (WOTE 2007) (2007)

PDF ← All Publications
Punchscan with Independent Ballot Sheets: Simplifying Ballot Printing and Distribution with Independently Selected Ballot Halves

Securing Elections: How Independent Ballot Sheets Make Voting Safer and Simpler

Imagine casting your vote with absolute confidence that no one—not even election officials—can trace it back to you, while still knowing your vote was counted correctly. This is the promise of end-to-end (E2E) voting systems like Punchscan. But a critical challenge remained: how to print and distribute ballots securely without trusting any single printer with your privacy. A 2007 research paper titled “Punchscan with Independent Ballot Sheets” tackles this head-on, proposing a clever modification that simplifies logistics while strengthening security.

The Core Problem: Trusting the Printer

Traditional Punchscan uses a two-sheet ballot. The top sheet has candidate names with holes, and the bottom sheet has letters printed beneath. To vote, you mark the letter corresponding to your candidate choice on the bottom sheet. Crucially, neither sheet alone reveals your vote; only the Election Authority (EA) can determine intent by combining them using a secret “Punchboard.” However, the original design required both sheets of a single ballot to be printed together with matching serial numbers. This meant a compromised printer (or anyone with access to printed ballots) could potentially link a voter’s receipt back to their marked choice, violating privacy. Distributing printing across multiple printers was complicated and still required trust in those combining the sheets.

The Binary Weapon Solution: Separating the Halves

The researchers drew inspiration from a “binary weapon”—two safe chemicals that only become dangerous when combined. They applied this concept to ballots: print the top and bottom halves separately with unique serial numbers. At the polling place, voters would combine one top and one bottom sheet randomly. This simple change is revolutionary:

  • Reduced Trust: No single printer ever sees a complete ballot. Even if one printer is compromised, they only have half the information needed to decode a vote.
  • Flexibility: Different printers (or even different locations) can print top sheets and bottom sheets independently. Election officials can distribute ballots from various sources without complex matching.
  • Privacy Enhanced: The only time a usable ballot exists is when the voter holds it, minimizing opportunities for privacy breaches during printing, storage, or transport.

How It Works: Voting Remains Familiar

The voter experience is largely unchanged:

  1. At the polling place, a voter receives one randomly selected top sheet and one randomly selected bottom sheet.
  2. They mark their choice on the bottom sheet using the holes in the top sheet as a guide.
  3. They destroy either the top or bottom sheet (just like before).
  4. Crucially, the serial number of the destroyed sheet is copied onto the surviving sheet, which becomes the voter’s receipt.
  5. The marked receipt is scanned, posted publicly, and kept by the voter for verification.

Maintaining Security: The Punchboard Evolution

The secret “Punchboard” that decodes votes is redesigned to handle the independent sheets:

  • Doubled Rows: The tables tracking ballot halves are doubled in size.
  • New Tracking: The Punchboard now records which top sheet was paired with which bottom sheet for each vote (the “P3” column in their notation).
  • Audits Remain Robust: The system still uses pre-election, results-posting, and post-election audits. Voters can verify their receipt is correctly included in the tally, and anyone can audit the counting process to ensure integrity without compromising privacy. The core cryptographic commitments and verification steps are preserved, ensuring the same level of security as the original Punchscan.

Key Benefits: Simplicity, Resilience, and Cost

The independent sheet approach offers significant advantages:

  • Simplified Distribution: Election officials can easily use multiple printers for top and bottom sheets, reducing reliance on any single entity and making the supply chain more resilient to disruption or attack.
  • Reduced Printing Complexity: Printing single sheets is generally more reliable than printing and folding two-sheet combinations. It also mitigates risks like ink smudging between sheets during printing.
  • Marginal Privacy Gain: While the fundamental privacy level (requiring compromise of both halves) remains similar to using two printers in the original system, the independent approach eliminates the logistical burden of ensuring matching serial numbers are paired, reducing opportunities for errors or manipulation during combination.
  • Cost Considerations: While secure packaging for individual sheets adds some cost, the overall system benefits from distributed printing and potentially reduced errors.

Why This Matters for Democracy

This research directly addresses a practical vulnerability in secure voting: the trust placed in the printing and distribution chain. By minimizing the information any single entity holds and distributing the critical task of ballot creation, Punchscan with Independent Ballot Sheets makes it significantly harder to mount large-scale privacy attacks. It offers a more flexible, potentially more reliable, and equally secure alternative to traditional ballot printing, bringing us closer to elections where every vote is both private and verifiably counted. While implementation requires careful procedural design (like poll worker assistance in combining sheets), this innovation represents an important step towards making robust, end-to-end verifiable voting systems more practical for real-world elections.