Ken Johnson wrote: But are these processes workable without precinct-level voting? I had the impression that Chaum was implying this, but maybe his point was that the vote counting process (as opposed to voter verification) wouldn't be reliant on precinct-level tallies. Matt replies: His precinct-level tallies comment makes sense in the context of the voting security and verification issues he talks about in his article. You are right that non-precinct-level tallies could complicate voter registration cheating issues which he does not address. Ken Johnson: Good points, but it could be argued that the method has not been very successful in societies where corruption is the norm and crooked public officials routinely pilfer vast sums of money from government and business accounts. The system's integrity ultimatly depends not on the encryption algorithm, but on the trustees' personal integrity and their susceptibility to being bribed, coerced, or duped into revealing their keys. I respond: One way to deal with this problem may be to rely on outside third parties who lack a vested interest in the outcome to perform this function. Maybe the actual trustees could be psuedo-randomly selected from a large pool of candidates to make bribery or coercion more difficult. Maybe they could be trained to resist being duped. Obviously, no election method can work if it is faked and not followed, but with this method the outside third party observers would be given this powerfull new tool that could detect problems that otherwise would go undetected. Some of the corrupt countries allow such third party oversight even though the observers subsequently declare the election to be seriously flawed. Others refuse observers or hamper their work. But at least this way it is easier to identify who is who. Ken wrote: In retrospect, I think I agree that we do not accomplish the same objectives. The primary objective of Chaum's proposal appears to be to enable individual voters to ensure that their ballots are correctly included in the final tally, whereas my focus is more on verifying that the final tally is correct. For the latter objective, it is not sufficient to be able to prove that any particular valid ballot corresponds to a correctly-entered database record; you also have to determine (at least within reasonable statistical uncertainty) that every database record corresponds to a valid ballot, i.e., there is no ballot stuffing or "database stuffing". I respond: But I don't think your proposal prevents ballot swapping, which as a practical matter is no different in its impact then ballot stuffing. And the steps that your method takes to help prevent cheating appear to me to be generic, they could be implemented together with half-pixel half receipts, they are not mutual exclusive.