How it works - Nerd version

To more fully describe the concept, each section in the summary description is restated below in bold and then described in further detail.

The fundamental concept is to use ballot stock that is pre-printed with two character strings in the margin of the sheet.
Two long strings of letters, numbers and ASCII characters would be printed in the margin of each sheet of ballot stock. This can be done on various sizes of paper to accommodate existing voting systems and can be done on any paper stock desired. There would be no benefit to using a unique or protected paper stock as the ballot cannot be counterfeited in mass without detection.

The first string is a unique pseudo-random number. It is “pseudo” random only from the standpoint that it be unique from any other ballot used during a given election and that it include a reference to the election and voting jurisdiction.
The first string can be generated from a fully random value generator and then checked to ensure that it is unique, or an algorithm can be created to ensure that a string of characters that is created is in fact unique from all others that have previously been created for this election. Alternatively, a separate set of ballots and pseudo random numbers can be generated for each state or other region in an election, if desired. Also embedded in the first string may be a reference to the election and/or voting jurisdiction where this ballot will be used. The latter would ensure that duplicate ballots are detected earlier in the tally process and would simplify the reconciliation of ballots process.

The second string is an encrypted version of the first string, further details of the encryption are provided below. But the salient fact is that if the second string is “decrypted” with a "Public Encryption Key” it will output the first string.
Asymmetric encryption utilizes two encryption “keys” that are used in conjunction with each other. One key, typically the “Private” key is used to encrypt any string of characters into an unreadable and seemingly random string of characters. The second key the "Public" key can then be used to decrypt that string back to the original string. The beauty of the system is that if the “Public” key can effectively decrypt the string, it is assured that the original encryption was done with the “Private” key.

This decryption “test” would be required during the acceptance of the ballot to ensure that it is not counterfeit.
The decryption test described above would be performed electronically before or at the time the ballot is tabulated. If a ballot’s second string when decrypted is equal to the first string you can be assured that it is either an authentic ballot or a duplicate of one (which will be addressed later). This technology is used broadly for encryption on secure web sites and in military applications.

There is in practical terms* no way for these two strings to be generated by anyone other than the holder of a “Private Encryption Key” who would be the provider/printer of the ballots stock. Therefore, no fraudulent or counterfeit ballots could be created that would pass the decryption test.
Asymmetric encryption is an extremely robust technology that with a suggested 2048-bit keys is estimated to take literally thousands of years to break using the most powerful computing technology available in 2021. Given the fact that a set of encryption keys would be used for, at most, a couple of months prior to any election until after ballots are counted there is essentially no way that the system could be compromised by any type of brute force encryption attack. The "Private" keys for an election would be maintained by a trusted agency that will produce the blank paper ballots. This would optimally be a secure agency within the federal government similar to our mints or a trusted subsidiary. Only the “Public” keys would be made available to the state and local voting authorities. Possession of a public key creates no risk to the integrity of the system.

Ballots could however be duplicated so a second test would be made to ensure that the same encrypted string on a ballot is not accepted twice during an election.
The requirement that each “Pseudo random string” and therefore each encrypted string is unique provides the ability to ensure that no ballot is duplicated. When the encrypted string is scanned, it will be compared to those already scanned at that location to ensure no duplication has occurred. When voting tallies are rolled up at regional and state levels, so will the encrypted strings that have been tabulated where they will again be checked for duplicates. In addition, the number of consolidated unique strings up should be tallied against the number of votes rolled up to ensure integrity. A different set of encryption keys could be made available to each state or smaller entities for federal elections if they wish to maintain some autonomy from other locales in the validation of unique ballots. Because both the decryption test and the duplicate test are performed locally there is no need for a networked connection beyond that location to check against a validation database.

Both tests could be accomplished concurrently and can be done during the scanning of the ballot for tabulation or as a separate step to validate the ballot before it is counted.
To provide full compatibility with existing systems that utilize or produce paper ballots, the secure ballot could be tested totally independently from the tabulation procedure. This would also provide the opportunity for only the margin of the ballot to be scanned to assure it is valid, thereby reducing any concern that the unique strings could somehow associate a ballot with a person and their vote. However, choosing this option would eliminate the ability for voters to verify their vote after the fact as discussed later. In the preferred embodiment a scanner could do both the validation of the ballot and the tabulation. An advantage of the latter is that validation of the ballot and determination of the voter’s selections could be done in real time and, if either test failed, the voter themselves could provide adjudication in real time.

The third and final control would be the chain of custody and management of ballots. To ensure that no authentic ballots are filled out nefariously, the total number of ballots allocated to a voting authority would need to be accounted for as either being used, voided, or remaining in stock at the end of the election.
This simple step of accounting for all ballots provides the final protection offered by the secure ballot process. The Printing authority will provide the requested number of ballots ordered that should be determined to serve the highest expected turnout of voters. This total number must be accounted for as an added assurance that none of them are introduced into the system inappropriately. When ballots are subsequently distributed this must be done with a robust chain of custody and documentation then accounted for after the election in one of the following categories:
    1) actual ballots cast,
    2) damaged or voided ballots that were replaced,
    3) remaining unused ballots and
    4) unaccounted for ballots.

Physical ballots in the first three of these categories will be maintained in archive for an appropriate period as desired, but not less than required at the federal level which is currently 22 months. States or jurisdictions will need to determine an acceptable threshold for the fourth category and take appropriate action if it is exceeded.

These steps alone would eliminate the possibility of the great majority of fraudulent activities where concerns and allegations have been made challenging our election’s integrity.
Specifically, all the scenarios below would be eliminated or significantly diminished: Ballot batches being tabulated more than once
    1. Ballot batches being tabulated more than once
    2. Copied ballots being counted
    3. Counterfeit printed ballots
    4. Inconsistent number of votes with the number of people checked off of voter registration rolls


The use of this concept also enables “Additional Practices” discussed below that can also be adopted to further assure integrity in early and absentee voting.
With the additional Practices discussed below, the following fraudulent activities can also be addressed:
    1. Question as to whether “my” vote was counted
    2. Absentee ballots being cast and subsequently challenged by the legitimate voter  


Details of Additional Practices

Ability to “Track my Vote”:
This can be provided by including, or optionally including at the voter’s request, a tear off tab or otherwise a copy of the “Encrypted String” associated with their ballot. This string is in no way associated with the voter themselves except through their possession. After the election conclusion, voters would be provided a query function using this string into the consolidated voting data to verify the selections on their ballot and that their ballot was in fact counted.

Improved Absentee ballot procedure:
Using the “Secure Ballot” a copy of the pseudo random string (the un-encrypted string) would be kept with the voter identifying information on the outside envelope of absentee ballots. Only the second string (the encrypted string) would be kept with the scanned returned ballot results. If a fraudulent ballot were claimed and verified by the “in-person” voter then at the discretion of the voting authority the associated outside envelope would be retrieved from the archive. The “Pseudo Random String” associated with that envelope would need to then be re-encrypted by the private key which is be maintained in close security by the trusted entity. Authority to do this would be protected by onerous requirements including the request and permission of the associated voter and then only by a judicial ruling. Legislative requirements would be in place that this only take place when fraudulent ballots are rampant and/or they are of a magnitude that could impact election results. After all such safeguards the ballot with that encrypted key could then be removed from the tally. This does have some risk, but possibly acceptable risk for the benefit. The risk is:
    1. The archive of outside ballots could be compromised, and a 1st string correlated to a voter could be obtained, then
    2. The trusted entity holding the private string would be compromised to encrypt the 1st string into the second string using the private key, then
    3. The holder of that encrypted 2nd string could query the system to verify what vote went into the tally with that 2nd string (if additional enhancement 1 allowing this query is enabled)


*   USPTO Patent Pending #63217464  
*    (Practical terms) with the 2021 current state of computing technology it is generally accepted that it would take many decades to break an RSA-2048
     asymmetric encryption.

Home
Contact Us