At the very minimum, I would expect a voting machine to create two paper receipts after each vote: one provided to the voter and another stored internally. These would hopefully be on something more durable than thermal paper, though that might suffice. The receipt would contain the machine ID, timestamp and vote recorded.
Administrators could get a quick count from the machine memory, then perform a verification by pulling a sample of votes from the printed receipt and comparing them to the electronic values with the same timestamp. And any voter can compare their receipt with publicly-available voting records.
Of course, then you have to worry about exploits that can cause the machine to print votes on demand, because those would appear legitimate, especially if the voter's receipt printout can be suppressed - there'd be no incriminating receipt trail hanging out of an unattended machine.
You can't print out a person's vote on a receipt an admin could see; that's not a secret ballot. And, using that receipt, the voter can do little to verify his vote was counted.
No identifying info needs to be printed. Just a GUID. Use a dot matrix printer with triplicate ("biplicate"?), let the voter take their receipt, and keep the other one on the spool.
Yeah, there's still might be some issue with external coercion on the voter to produce their receipt and prove they voted the way they were paid to. I suppose that could be solved by making the voter's copy an XOR of the audit tape, and by only having both copies together, can the vote be verified. Presumably the forces doing the coercion wouldn't have access to the audit tape. If they did, then we're already screwed no matter what system we implement.
Just a thought. Not sure if there's some fundamental contradiction between secrecy in voting and voter-auditability.
i.e. the attack scenario is a small town, where you record each person as they come in. Then later you can look at the vote in order and know who voted what.
> Presumably the forces doing the coercion wouldn't have access to the audit tape.
That is not a valid assumption. Your machine must be resistant even to that attack.
> If they did, then we're already screwed no matter what system we implement.
No. The audit must not be able to be correlated with the person, the order, or the time.
"zero knowledge proofs" is a textbook solved problem. Your local college library has books that explain how to do secure voting. It is how AWS and HTTPS works.
Why not print out N copies of the receipt, where N = number of parties (usually 2 in the US, Republicans and Democrats). Then, each receipt is placed in a box dedicated to each party. Then, representatives from each party get a box, and count receipts. All count should match (or be within a certain margin), right?
You give the voter a paper ballot that they can visually confirm and deposit, themselves, in a ballot box, that can then be consulted to verify the electronic tallies in the event of a challenge. Honestly though, as an Oregon resident, I don't see why all states don't have vote by mail like we do.
We use this here in Australia and I think it's worth the $197m[0] each Federal election costs. In some State elections, the upper house ballot paper is 100cm metre wide,[1] and if someone numbers all the boxes, their preferential vote has to be tallied manually.
Administrators could get a quick count from the machine memory, then perform a verification by pulling a sample of votes from the printed receipt and comparing them to the electronic values with the same timestamp. And any voter can compare their receipt with publicly-available voting records.
Of course, then you have to worry about exploits that can cause the machine to print votes on demand, because those would appear legitimate, especially if the voter's receipt printout can be suppressed - there'd be no incriminating receipt trail hanging out of an unattended machine.