Punchscan in Practice: How a Cryptographic Voting System Fared in Its First Real-World Test

Elections are the bedrock of democracy, but trust in their integrity has eroded over time. From paper ballot miscounts to electronic voting machine vulnerabilities, the question of whether votes are cast as intended and counted as cast has never been more urgent. Enter End-to-End (E2E) cryptographic voting systems—a class of technologies designed to solve this problem by giving voters a way to verify their votes are accurately recorded without revealing their choices. The 2007 University of Ottawa graduate student election marked a milestone: it was the first binding election to use Punchscan, one of the earliest E2E systems. This case study offers a rare look at how such a system performs in the messy, human-driven world of real elections—and what it means for the future of voting.

The Problem Punchscan Solves: Verifying Votes Without Sacrificing Privacy

Traditional voting systems (paper or electronic) have a critical flaw: voters rarely know if their vote was counted correctly. A paper ballot could be lost or miscounted; an electronic machine could be hacked or malfunction. E2E systems aim to fix this by creating a cryptographic “receipt” for each vote: a physical or digital record that lets voters check their vote was included in the tally, but doesn’t reveal who they voted for.

Punchscan, the system tested in Ottawa, works like a hybrid of a paper ballot and a puzzle. Here’s how it works:

• A voter receives a two-page ballot. The top page lists candidates with random symbols; the bottom page has holes showing matching symbols.
• To vote, the voter finds the symbol next to their chosen candidate, marks the corresponding hole (with a dauber), and shreds one of the pages. The remaining page is their encrypted receipt.
• Only a group of “trustees” (using a shared secret key) can decrypt the shredded page to tally votes. Crucially, no single trustee can decrypt votes alone—preventing fraud.

This design ensures two key goals: cast-as-intended (the voter’s mark matches their choice) and counted-as-cast (the mark is included in the tally). But theory is one thing—real-world use is another. The Ottawa case study tested whether Punchscan could handle the chaos of a live election.

The Ottawa Election: A Test of E2E in the Wild

The University of Ottawa’s Graduate Students’ Association (GSAÉD) adopted Punchscan to speed up tallying, prevent double voting, and advance research. The election had five contests (four uncontested “yes/no” races, one contested position) and 154 voters. To make the system practical, the team added two critical modifications:

1. Digital Signatures on Receipts: A barcode on each receipt verified the ballot wasn’t forged, protecting against malicious voters trying to invalidate results.
2. Paper Backups: Since Punchscan relies on electronic records, the team added a paper strip (cut from the receipt) to serve as a physical backup—addressing fears of power outages or data loss.

The process unfolded in stages:

• Ballot Creation: The team used open-source software to generate 3,000 unique ballots (with random symbol orders) and drilled holes in them.
• Pre-Election Audit: Half the ballots were randomly selected (using stock market data for unpredictability) and publicly audited to ensure no tampering.
• Polling: Voters marked ballots, shredded a page, and received a receipt. Poll workers scanned receipts, printed overlays (to “lock in” marks), and collected paper backups.
• Tallying: After the election, trustees decrypted the receipts to count votes. A post-election audit verified the tally matched the encrypted records.

Key Findings: Successes, Struggles, and Surprises

The election was technically successful—results were ratified, and no challenges were filed—but the case study revealed critical challenges for E2E systems:

1. Technical Hiccups (But Resilience)

Printers jammed, software froze, and wireless signals dropped. Yet poll workers adapted: they manually recorded ballots, signed receipts, and later transcribed data. This showed Punchscan’s robustness—it didn’t collapse under technical failures, a major win for real-world viability.

2. Voter Confusion (And Indifference)

Voters struggled with the “indirection” of marking: instead of checking a box, they had to match symbols. Some found it “no harder” than a traditional ballot; others called it “irritating.” The biggest confusion? Shredding a page. Many feared they were “destroying their vote” and asked repeatedly which page to shred. (85% kept the bottom page, skewing the receipt distribution—an issue for audits, since audits rely on random receipt retention.)

Worse, most voters didn’t understand the purpose of the receipt. When told they could verify their vote online, many were indifferent. Only 83 of 154 receipts were checked—suggesting low engagement with the system’s core benefit.

3. Poll Worker Feedback: Training and Speed

Poll workers needed better training (e.g., clearer instructions on the ballot) and worried about speed. Casting a vote took 60–90 seconds—too slow for busy polling places. One worker noted: “I don’t know how it will work if we have people lining up.”

What This Means for E2E Voting Systems

The Ottawa case study is a milestone, but it highlights three critical takeaways:

Usability Is a Barrier

Voters didn’t intuitively grasp Punchscan’s security mechanisms (e.g., why random symbols protect privacy). This isn’t just a “user education” problem—it’s a design problem. Future E2E systems must make verification easier to understand (or even optional) to gain public trust.

Integrity vs. Usability Trade-Offs

Punchscan’s strength (cryptographic indirection) was also its weakness. Voters resented the extra steps, and the receipt verification process was underused. The team suggests decoupling integrity from the voting process—e.g., letting voters verify their vote without complex marking.

Real-World Testing Is Non-Negotiable

Theory alone isn’t enough. The Ottawa election exposed flaws (printer jams, voter confusion) that lab tests miss. For E2E systems to move from research to reality, more real-world trials are needed.

Conclusion: A Step Forward, But a Long Road Ahead

The Ottawa election proved Punchscan could work in a live setting—votes were counted accurately, and the system handled glitches. But it also showed that E2E systems face steep hurdles: voters need to trust (and understand) the technology, and poll workers need tools that are fast and easy to use.

For democracy, this matters. If E2E systems can solve the “trust gap” in elections, they could restore faith in the process. But as the Ottawa case study shows, technology alone isn’t enough—we need to design systems that respect how people actually vote, not just how they should vote.

The future of E2E voting isn’t just about cryptography—it’s about making security feel like common sense. Until then, the journey from lab to polling booth continues.