User:AndersJohnson/Draft of Scantegrity II

Scantegrity II is an E2E optical scan voting system. It is claimed to retain the integrity properties and the user interface of a traditional optical scan system.

Voting procedure
The Scantegrity II voting procedure is similar to that of a traditional optical scan voting system, except that each voting response location contains a random confirmation code printed in invisible ink. Instead of marking the response location with a visible ink pen, the voter applies a developer that reveals the confirmation code.

Code verification
The voter may then choose simply to deposit the ballot in the collection box, or she may first make and keep a separate written record of the confirmation codes, which are pre-committed by the Election Authority. The Election Authority publishes the voted confirmation codes before the election results are certified. If the written record does not match the published confirmation code, then the voter may file a dispute. Assuming that the code space is sufficiently large, knowledge of a valid unpublished confirmation code can be considered plausible evidence that the Election Authority erred.

Ballot auditing
The voter may also elect to audit a ballot. A poll worker presents the voter with two unvoted ballots, and the voter selects one of them to audit and the other to vote. The poll worker authenticates and invalidates the audit ballot, and then permits the voter to develop all of its confirmation codes and to take it home. Barring discrepancies, the result forms a zero-knowledge proof that all of the pre-commited confirmation codes are unique and as printed, and that the developed ink is sufficiently indelible.

Tabulation process
The tabulation process involves posting the anonymous votes, which can be independently audited by a zero-knowledge proof that the votes correspond exactly to the voted confirmation codes, without revealing that correspondence. Typically, a cryptographic back-end such as that of Punchscan would be employed. Other back-ends are possible.

Use of Invisible Ink
Unlike most applications of invisible ink, the presence of the ink is not concealed. Instead, the reading of undeveloped ink is hampered by printing confirmation codes in a dot matrix grid, each element of which contains either a reactive or a non-reactive ink whose visible effects on the paper are (ideally) identical until they are developed. The integrity of the dispute mechanism relies on the developing process being irreversible, such that the confirmation code is revealed only when the corresponding response is voted, or the ballot is audited or spoiled.

Manual Recounting
Manual recounting is possible, provided that the chain of custody of voted ballots remains intact. This provides a fall-back mechanism in case the invisible ink is defeated, the Election Authority is shown to have made a significant number of errors, or the Election Authority chooses not to rely on disputes to detect errors.