E-VotingCurrent electronic voting machines at pollingplaces don’t give receipts. Rather, they requireprospective voters to trust them—withoutproof or confirming evidence—to correctlyrecord each vote and include it in the final tally. Receiptscould assure voters that their intended votes are counted.However, receipts have so far not been allowed because ofthe “secret ballot” principle, which forbids voters fromtaking anything out of the polling place that could beused to show others how they voted. The reason for this isto prevent schemes that could improperly influence vot-ers, such as vote selling and various forms of coercion.Introduced here is a fundamentally new kind of re-ceipt. In the voting booth, the voter can see his or herchoices clearly printed on the receipt. After taking it outof the booth, the voter can use it to ensure that the votes itcontains are included correctly in the final tally. But, be-cause the choices are safely encrypted before it is removedfrom the booth, the receipt cannot be used to show oth-ers how the voter voted. The receipt system can be proven mathematically toensure election integrity against whatever misbehavingmachines or people might do to surreptitiously changevotes. This level of integrity should enhance voter satisfac-tion and confidence and positively impact participation.The system also eliminates the need for trusted votingmachines, which typically use proprietary “black box”technologies. It can run with published code on standardPCs, allowing significantly lower cost and higher quality.The receipts also improve robustness, currently achievedby costly proprietary hardware redundancy in storing andtransporting votes, not only because failures can be de-tected at the polls in time to prevent lost votes, but alsobecause the votesthat receipts con-tain can be counted no matter what happens to the ma-chines. Moreover, open-platform hardware, instead ofbeing stored in special warehouses most of the time,could even be used for various purposes year-round, forexample in schools and libraries.The inability of the current approach to reconcile se-crecy and security needs has also led to functionalityproblems. The new US Federal requirement for provi-sional ballots—ballots cast by individuals whose namesdon’t appear on the registration list—means separate han-dling and counting, singling provisional ballots out for re-duced privacy protection. Just as the system presentedhere can seamlessly include all such votes, it can lift the re-quirement that voters vote from their home precinct, en-suring access while improving convenience and turnout.(It even makes interjurisdiction voting workable.) Courtscan also surgically add or remove the votes of particularfine-grained categories of voters; their inability to do sotoday forces them to call revotes, throw out all ballots, ordetermine winners themselves. Voting with the new approachAfter you input your choices using a touch screen orother input means, with the new approach, a small de-vice that looks like a cash register printer generates aprintout (part of which will become your receipt). Theprintout lists the names of the candidates you chosealong with their party affiliations and offices sought, asFigure 1 shows, as well as your vote on any ballot ques-tions. Included are allowed write-ins and other choices,such as with straight-party voting and prioritized andDAVID CHAUMSecret-Ballot Receipts: True Voter-Verifiable Elections38 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/04/$20.00 © 2004 IEEE ■ IEEE SECURITY & PRIVACY A new kind of receipt sets a far higher standard of securityby letting voters verify the election outcome—even if allelection computers and records were compromised. Thesystem preserves ballot secrecy, while improving access,robustness, and adjucation, all at lower cost.E-Votingweighted votes. The printout might also include graph-ics, such as a voter’s handwritten choice of candidate,party symbols, or (someday) photographs such as somecountries use. It might also alert you to contests or ques-tions you skipped and serves as the single summary ofyour vote. After printing your votes, the machineprompts you to review the printout still in the printerand accept it, giving you the opportunity to amend yourvote and generate a new printout. Generating a receiptIf you agree with the printout, the machine asks you toindicate whether you wish to keep the top or the bottomlayer of it. The printer differs from ordinary receiptprinters because it simultaneously prints separate butaligned graphics on both the top and bottom sides of thestrip. After you’ve indicated your choice of layer, the ma-chine prints the final inch of the form. (The voter choos-ing which layer only after the main part is printed is keyto keeping the system honest.) It then automatically cutsoff both layers, still laminated together, and releases themto you. Figure 2 shows the laminated last inch of theprintout. As you separate the layers, the image of the votes be-comes an unreadable and seemingly random pattern oftiny squares printed on each of two layers of translucentplastic material. Neither layer is readable on its own—thelight passing through the sandwiched layers only whereneither layer has printing is what makes your choices vis-ible. Still, each layer separately and safely encodes yourvote exactly as you saw it. The last inch of the printout is different because itslayers have messages that are readable after the layers areseparated, as Figure 3 shows. The layer you select to keepas your receipt bears a message such as, “Voter keeps thisprivacy-protected receipt layer” (Figure 3a), whereas theother layer might state, “Voter must surrender this layer topoll worker” (Figure 3b). Verifying your vote As you leave the polling place, you give the poll workerthe layer marked for surrender. For your protection and asyou watch, the poll worker checks that it’s the correctlayer and destroys it in a small, transparently housed papershredder. You keep the other layer as your receipt. Thevoting machine keeps an electronic version of this samefinal receipt until it successfully sends it in for posting onthe official election Web site. The bits on the shreddedpaper layer are also “shredded” electronically—that is, theonly things that remain of your vote are your physicallayer and, in the machine, a digital version of that sameimage. (One way to handle voters that