Secret-Ballot Receipts and Transparent Integrity

David Chaum

Receipts showing exactly who you voted for --- just what is generally wanted and expected today --- have been outlawed to prevent vote selling and other abuses. A new kind of receipt cannot be abused. It also lets you be sure that your votes are correctly included in the final tally, even if all the computers used to run the election are compromised!

Receipts are printed on two-layer media by a modified version of familiar receipt printers. You can read them clearly in the booth; but before leaving, you must separate the layers and choose which one to keep. Either one you take has coded in it the vote information you saw, though your choices can now only be read using keys divided among computers run by election officials.

The layer you take is supplied by the voting machine for publication on an official election website, where you can verify that it is posted. After deriving the tally from the posted receipts, a lotto-like draw selects parts that must be decrypted for inspection, but not so many parts that privacy is compromised. Anyone with a computer can simply check all the decryptions, which should also be published on the website, and thereby verify that the final tally must be correct.

The printers and media are practical and under development. The overall system cost is lower than with today's voting machines and the hardware can additionally be used for other purposes year round. Current election system functionality, including write-ins and provisional ballots, is fully supported and can be extended significantly. A variety of public policy issues are raised. (See

A related software-only voting system suitable for student elections will be described briefly and source code for it distributed.

Gates 4B (opposite 490), 5/21/01, 4:30 PM