| Logo Size: | 150px |
| Developer: | Richard Carback, David Chaum, Jeremy Clark, Aleks Essex, and Stefan Popoveniuc. |
| Programming Language: | Java |
| Operating System: | Cross-platform |
| Language: | English |
| Genre: | vote counting system |
| License: | Revised BSD license |
| Website: | http://punchscan.org/ |
Punchscan is an optical scan vote counting system invented by cryptographer David Chaum. Punchscan is designed to offer integrity, privacy, and transparency. The system is voter-verifiable, provides an end-to-end (E2E) audit mechanism, and issues a ballot receipt to each voter. The system won grand prize at the 2007 University Voting Systems Competition.
The computer software which Punchscan incorporates is open-source; the source code was released on 2 November 2006 under a revised BSD licence.[1] However, Punchscan is software independent; it draws its security from cryptographic functions instead of relying on software security like DRE voting machines. For this reason, Punchscan can be run on closed source operating systems, like Microsoft Windows, and still maintain unconditional integrity.
The Punchscan team, with additional contributors, has since developed Scantegrity.
A Punchscan ballot has two layers of paper. On the top layer, the candidates are listed with a symbol or letter beside their name. Below the candidate list, there are a series of round holes in the top layer of the ballot. Inside the holes on the bottom layer, the corresponding symbols are printed.
To cast a vote for a candidate, the voter must locate the hole with the symbol corresponding to the symbol beside the candidate's name. This hole is marked with a Bingo-style ink dauber, which is purposely larger than the hole. The voter then separates the ballot, chooses either the top or the bottom layer to keep as a receipt, and shreds the other layer. The receipt is scanned at the polling station for tabulation.
The order of the symbols beside the candidate names is generated randomly for each ballot, and thus differs from ballot to ballot. Likewise for the order of the symbols in the holes. For this reason, the receipt does not contain enough information to determine which candidate the vote was cast for. If the top layer is kept, the order of the symbols through the holes is unknown. If the bottom layer is kept, the order of the symbols beside the candidates name is unknown. Therefore, the voter cannot prove to someone else how they voted, which prevents vote buying or voter intimidation.
As an example, consider a two candidate election between Coke and Pepsi, as illustrated in the preceding diagram. The order of the letters beside the candidates' names could be A and then B, or B and then A. We will call this ordering
P1
P1
P1
P1
order of symbols beside candidate list,
P1\in\{0,1\}=\{AB,BA\}
Likewise we can generalize for other parts of a ballot:
P2
order of symbols through the holes,
P2\in\{0,1\}=\{AB,BA\}
P3
which hole is marked,
P3\in\{0,1\}=\{1st,2nd\}
R
result of the ballot,
R\in\{0,1\}=\{Coke,Pepsi\}
Note that the order of the candidates' names are fixed across all ballots. The result of a ballot can be calculated directly as,
R=P1+P2+P3\bmod2
However, when one layer of the ballot is shredded, either
P1
P2
R
Before the election, the database is created with a series of columns as such. Each row in the database represents a ballot, and the order that the ballots are stored in the database is shuffled (using a cryptographic key that each candidate can contribute to). The first column,
D1
D2
D3
D4
D2+D4=P1+P2\bmod2
The result of each ballot will be stored in a separate column,
R
D5
R
After the election is run and the
P3
D3
D3=P3+D2\bmod2
And the result is calculated as,
R=D3+D4\bmod2
This is equivalent to equation 1,
\begin{align} R&=(D3)+D4\bmod2\\ &=(P3+D2)+D4\bmod2\\ &=P3+(D2+D4)\bmod2\\ &=P3+(P1+P2)\bmod2 \end{align}
The result column is published and given the ballots have been shuffled (twice), the order of the results column does not indicate which result is from which ballot number. Thus the election authority cannot trace votes to serial numbers.
For an election with
n
The voter's ballot receipt does not indicate which candidate the voter cast their ballot for, and therefore it is not secret information. After an election, the election authority will post an image of each receipt online. The voter can look up their ballot by typing in the serial number and they can check that information held by the election authority matches their ballot. This way, the voter can be confident that their ballot was cast as intended.
Any voter or interested party can also inspect part of the database to ensure the results were calculated correctly. They cannot inspect the whole database, otherwise they could link votes to ballot serial numbers. However, half of the database can be safely inspected without breaking privacy. A random choice is made between opening
\{D1,D2,D3\}
\{D3,D4,D5\}
If all ballots are counted as cast and cast as intended, then all ballots are counted as intended. Therefore, the integrity of the election can be proven to a very high probability.
To further increase the integrity of a Punchscan election, several further steps can be taken to protect against a completely corrupt election authority.
Since
D1
D2
D5
Prior to an election, the election authority prints the ballots and creates the database(s). Part of this creation process involves committing to the unique information contained on each ballot and in the databases. This is accomplished by applying a cryptographic one-way function to the information. Though the result of this function, the commitment, is made public, the actual information being committed to remains sealed. Because the function is one-way, it is computationally infeasible to determine the information on the sealed ballot given only its publicly posted commitment.
Prior to an election, twice as many ballots are produced as the number intended to use in the election. Half of these ballots are selected randomly (or each candidate could choose a fraction of the ballots) and opened. The rows in the database corresponding to these selected ballots can be checked to ensure the calculations are correct and not tampered with. Since the election authority does not know a priori which ballots will be selected, passing this audit means the database is well formed with a very high probability. Furthermore, the ballots can be checked against their commitments to ensure with high probability that the ballot commitments are correct.