Punchscan is an optical scan vote counting system invented by cryptographer David Chaum.

Punchscan is designed to offer integrity, privacy, and transparency.

The system is voter-verifiable, provides an end-to-end (E2E) audit mechanism, and issues a ballot receipt to each voter.

The computer software which Punchscan incorporates is open-source; the source code was released on 2 November 2006 under a revised BSD licence.

For this reason, Punchscan can be run on closed source operating systems, like Microsoft Windows, and still maintain unconditional integrity.

The Punchscan team, with additional contributors, has since developed Scantegrity.

On the top layer, the candidates are listed with a symbol or letter beside their name.

Below the candidate list, there are a series of round holes in the top layer of the ballot.

Inside the holes on the bottom layer, the corresponding symbols are printed.

For this reason, the receipt does not contain enough information to determine which candidate the vote was cast for.

If the top layer is kept, the order of the symbols through the holes is unknown.

If the bottom layer is kept, the order of the symbols beside the candidates name is unknown.

As an example, consider a two candidate election between Coke and Pepsi, as illustrated in the preceding diagram.

: order of symbols beside candidate list, Likewise we can generalize for other parts of a ballot:

In order to calculate the election results, an electronic database is used.

contains a pseudorandom bitstream generated from the key, and it will act as a stream cipher.

contains a bit such that: The result of each ballot will be stored in a separate column,

Thus the election authority cannot trace votes to serial numbers.

Any voter or interested party can also inspect part of the database to ensure the results were calculated correctly.

They cannot inspect the whole database, otherwise they could link votes to ballot serial numbers.

However, half of the database can be safely inspected without breaking privacy.

(this choice can be derived from the secret key or from a true random source, such as dice[2] or the stock market[3]).

This procedure allows the voter to be confident that the set of all ballots were counted as cast.

The probability of the tampering being uncovered in the audit increases with the number of independent databases.

Part of this creation process involves committing to the unique information contained on each ballot and in the databases.

This is accomplished by applying a cryptographic one-way function to the information.

Because the function is one-way, it is computationally infeasible to determine the information on the sealed ballot given only its publicly posted commitment.

The rows in the database corresponding to these selected ballots can be checked to ensure the calculations are correct and not tampered with.

Since the election authority does not know a priori which ballots will be selected, passing this audit means the database is well formed with a very high probability.