Proposal: An Open-Source

Enhancement for Voting Systems

(OSEVS)
(Public Release, Version 1.1, November 2022)

1
Background:

The current system of voting is fundamentally flawed. Voters should have faith in a
system where all ballots will be fairly handled, kept private, and recorded accurately.
Even with current electronic technology, the methods of collecting and preserving the
integrity of voting records are basically unchanged. The current process is subject to
fraud allegations, mistrust, and is painfully inefficient.

There is no excuse to accept this form of abuse. A vote is a special right and
considered sacred. When citizens feel apathetic to the system because of a lack of trust
and a lack of verification, the entire process of a fair and honest election becomes
questioned.

We can listen to any music, view any show or movie, and have the entire record of
human history at our fingertips. Yet, during almost every election cycle, we are forced to
use an antiquated and inefficient system of voting. After many contentious voting cycles,
there are allegations of fraud, destroyed/lost/altered ballots, and endless finger-pointing,
blame, and mistrust. The mere act of waiting for days or weeks for a finalized election
result is unacceptable. The current system must be changed for the better. This proposal
describes a method for an Open-Source Enhancement for Voting Systems (OSEVS).

Proposal:

1. The OSEVS method of ballot submission and tabulation must be completely

open-source. Anyone should be able to view the source programming code for the
software, and it is owned by no one. The methodology and programming code described
in this proposal are free and completely open to the public for review.

2. The completed ballot must not have any indication which candidate or proposition
was chosen by the voter.

3. The voter could either verify their chosen candidate/proposition was recorded
properly either on-line, or at their local Board of Elections. The voting information would
remain private, and the information would only be accessible to the submitting voter.

4. The OSEVS must remain simple and not rely upon any form of networked
computers, public or private.

5. The OSEVS must be compatible with any existing ballot recording system.

2
 This method involves the utilization of a “public and private key pair” assignment for
each voter. Public and private key pair technology is not new and is open source. Anyone
can freely generate these key pairs at no cost. The assignment would result in a set of
data where a public key would be kept on file, along with the voter’s private key. There
are many open-source methods of generating public/private key pairs, and no specific
single method is required for OSEVS.

Once the private key is generated, two-dimensional barcode stickers would be then
generated, containing a portion of the private key. This “split-key” would be a unique set
of letters and numbers, derived from the voter’s unique private key. The voter would
receive a ballot form with a sheet of these split-key stickers, each sticker corresponding
to a single candidate name. It would be impossible, even if the contents of the barcode
were shown in “plain text”, to determine the voter’s selection once submitted to a poll
worker or sent through the mail.

When the ballot envelope is received, it is opened by the poll worker and scanned.
At no time can anyone determine which candidate was chosen by looking at the ballot.
The scanning program would only alert the poll worker to an incorrect/missing bar code
sticker.

The public key and the portion of the private key could be scanned by an inexpensive
2D barcode scanner, and the results submitted to the Board of Elections database. Since
the candidate chosen is encoded and anonymous, the voter’s public key and the portion
of the private key selection can be made public. This data would not provide any
indication of the candidate chosen or the identity of the voter. The scanning program
would also record the time/date stamp of when the ballot was scanned and accepted by
the system. Since the data cannot be used to determine the voter’s candidate choice,
the transmission of data to the BOE can be verified instantly and recorded instantly. Using
this system, the voting public would be able to see results in real time.

The voter would also be able to confirm that their vote was received and recorded
correctly directly after placing the ballot. Once the ballot is verified and added to the
database, the voter can independently verify their vote was counted properly. This could
be done by the voter scanning their public key by smartphone. If they do not have access
to a smart phone, they could go to a public government office or local library to scan it. A
voter could also type the first few characters of their Public Key on the Board of Election
website and find their matching record containing the portion of their private key.

3
Below is an example of a computer generated public and private key pair:

Public Key: 1Jr948ydQhm1ZLLaanTAVjqgKBqyQhVGXo

Private Key: 5JNcM5GtyhBP6NFdbmwJMDNMuVkzbxwmYcEeNE2ouJM7s558sq41

The public/private key pair could be generated by the local board of elections. The
generation of the key pair does not rely on a separate centralized system and does not
rely on any outside source. It does not require a connection to any network. The method
of generation is completely free and open-source. A single public key portion would be
assigned to each individual voter and would be utilized for one election only. The election
agency would be required to maintain and secure the public/private key database. This
public/private key database is not required to be connected to any network and can be
shared freely with the public. For scanning purposes, the Public Key would be encoded
within a two-dimensional barcode as shown below. The barcode data is not encrypted.

The Private Key would by split by the number of registered candidates, plus one for
a write-in entry. The method utilized to generate the split-keys from the Private Key is
“Shamir’s Secret Sharing Scheme” (SSSS), developed by Adi Shamir*. The
programming code for SSSS is completely free and open-source. For this example, we
will use a candidate pool of six choices, plus one for a write-in candidate, for a total of
seven. Using SSSS, the private key is split into seven equal parts.

* - “How to Share a Secret”, Adi Shamir. https://www.cs.tau.ac.il/~bchor/Shamir.html

4
 The following is an example of splitting the Private Key into seven parts using SSSS,
using the command:

ssss-split -t7 -n7

This command will split the private key into seven split-keys, and would require all keys
to show the correct Private Key listed below

5JNcM5GtyhBP6NFdbmwJMDNMuVkzbxwmYcEeNE2ouJM7s558sq41

Split-key assignment:

1-f198167bba30f557f7dadb56d8de5a34615bfb0bd6cd91d55fbb4eb077d9f8
9cae87f5c4d1a33c748aecb5dc7a6fabdb6d089bb8

2-54a66e941e8d9ed8482a9c04d92eff281e73e0ec99fef99416732bb2685fea
0fc7259c3a5c7ff403abc3d066d323d0d7d0a9191f

3-7babb3bd807af826a9282a98ed23013ed93c7cbdac35e67287a4fbbaaa3e90
52ce273f4be12501dfec3679487bd26a855dc45c0a
4-d8b61108b1958d753a5433a38946ed7e131536d26c07455ea9653ebe318edd
0007ea4ba2137fca209cf59987150ebe419d95ee17
5-35073d39354e2beb39b8d39aca122dcf0969b08c93fd07b08e8441cf440163
9da6f334fdc58061d6fbabdc256c597e06f1b9e8ea
6-8937abedefdf34660415809a92f332f1c45c03014b433490a1a4497ea821ec
81bbe8d67443923df6c566761a28dc802165a35652
7-4cc083746c04a41c4d27c571301f97287f12164d18157d62ab9799d1b6d989
bbcb03b7bbe856331e7507538d0f481c773db41c77

5
Each separate split-key would be then assigned to a candidate in a random order. In this
example, the following candidates are:

Alex Alpha
Barbara Beta
Gary Gamma
Darius Delta
Elise Epsilon
Zoey Zeta

The election certification agency would retain the candidate’s name and the
corresponding split key in a separate database table. For this example, the split-key
assignments are:

Alex Alpha
3-7babb3bd807af826a9282a98ed23013ed93c7cbdac35e67287a4fbbaaa3e90
52ce273f4be12501dfec3679487bd26a855dc45c0a

Barbara Beta
4-d8b61108b1958d753a5433a38946ed7e131536d26c07455ea9653ebe318edd
0007ea4ba2137fca209cf59987150ebe419d95ee17

Gary Gamma
1-f198167bba30f557f7dadb56d8de5a34615bfb0bd6cd91d55fbb4eb077d9f8
9cae87f5c4d1a33c748aecb5dc7a6fabdb6d089bb8

Darius Delta
5-35073d39354e2beb39b8d39aca122dcf0969b08c93fd07b08e8441cf440163
9da6f334fdc58061d6fbabdc256c597e06f1b9e8ea

Elise Epsilon
7-4cc083746c04a41c4d27c571301f97287f12164d18157d62ab9799d1b6d989
bbcb03b7bbe856331e7507538d0f481c773db41c77

Zoey Zeta
2-54a66e941e8d9ed8482a9c04d92eff281e73e0ec99fef99416732bb2685fea
0fc7259c3a5c7ff403abc3d066d323d0d7d0a9191f

(Write-In Candidate)
6-8937abedefdf34660415809a92f332f1c45c03014b433490a1a4497ea821ec
81bbe8d67443923df6c566761a28dc802165a35652

6
 The central database would contain the public key assigned, and the corresponding
split-key assignments. The values for each split-key would be encoded into two
dimensional barcodes and printed on a set of stickers. The sticker would consist of the
2D barcode only. The sticker sheet would be on a page separate from the actual ballot.
The sticker would only be the two-dimensional barcode and would not include the name
of the candidate chosen.

For added security, and to prevent copying, a watermark or hologram image could
be embedded within each sticker. A confirmation page would also be supplied to each
voter along with the ballot. The confirmation page would not require the entire key for the
voter to verify their candidate selection. The voter could verify their chosen candidate by
entering the number followed by the first six characters. An example of the sticker sheet
and confirmation page is shown on the following two pages.

7
 Alex Alpha Barbara Beta Gary Gamma

Darius Delta Elise Epsilon Zoey Zeta

WRITE-IN
CANDIDATE

8
 Split-Key Signature Confirmation Page

RETAIN THIS PAGE FOR YOUR RECORDS

John Q. Public Public Key:

123 Main Street
Anywhere, NJ 00001

Alex Alpha
3-7babb3b

Barbara Beta
4-d8b611

Gary Gamma
1-f19816

Darius Delta
5-35073d

Elise Epsilon
7-4cc083

Zoey Zeta
2-54a66e

(Write-In Candidate)
6-8937ab

9
 A ballot would have a single blank square where the voter could affix one of the
chosen stickers. In this example, we will have the voter choose “Zoey Zeta”. As shown
on the following page, you have a ballot being returned that has no identifying
characteristics of the candidate chosen. An intercepted ballot would not reveal the
candidate chosen. A duplicated ballot would be flagged as such, because each voter
would be paired with a single public key and checked against the BOE database. Also,
the bad actor would not know which split-key would result in their preferred candidate
being submitted. A ballot could not be modified unless the bad actor had access to the
original sticker sheet and ballot. If a sticker was swapped out, the voter would find out on
a verification inquiry. If a ballot had been destroyed/lost before the legitimate voter
received it, the voter could easily request a new key pair assignment. Once the results
were collected, the public key and corresponding private split-key chosen by the voter
could be made public. There would be no way to determine the identity of the voter by
solely viewing the public key and the chosen private split-key, unless the BOE database
was compromised. The voter could verify that the vote was received and accurately
entered by searching the public database for their public key and matching it up with the
split-key that they had chosen. Each ballot could even be scanned and made public,
since there are no identifying characteristics of the candidate chosen. It would be
impossible to reverse engineer the split-key and determine the candidate that was
chosen. The BOE would be responsible for the security and integrity of the database. If
there was an issue with ballots being modified, voters can independently view their split-
key and public key pair on-line and match it with the split-key signatures they received
with their ballot. Also, all of the candidates split-keys could be entered into Shamir’s
Secret Sharing Scheme, which would result in showing the original full private key
originally paired with the voter’s public key. This would verify that all the split-keys were
valid, and they all tie in with the voter’s original public and private key pair. The database
could be “locked in place” once all the ballots had been sent out, and/or copied to a State
BOE and/or Federal Agency. The integrity of this system grows when the database is
distributed before Election Day.

The public/private key pair generation relies on a proven system known as a “Elliptic
Curve Digital Signature Algorithm” *. The amount of public/private key pairs available are
astronomical:

1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

It is statistically impossible for the private key to be derived from the public key.
Theoretically billions of people could safely use one pair for every election with
mathematically no chance of issuing the same key pair twice. The next page is a very
basic sample ballot where a candidate sticker has been affixed within the box. The
completed ballot displays the user’s public key and chosen split-key.

*https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

10
 OFFICIAL BALLOT FORM - ELECTION YEAR 2024

John Q. Public Public Key:

123 Main Street
Anywhere, NJ 00001

Please affix the barcode matching the candidate of your choice in the box below.

If you have selected the barcode for “Write-In Candidate Only”, please write your
candidate’s name below:

_______________________________

{Insert legal affiant language here}

____________________________ __________________________
Signature of John Q. Public Date Signed

11
 This system does not require a replacement of existing software, and it does not
interfere with existing voter records. To implement this system, it would require what is
called a “one-to-one” database table link. A database table typically contains a “Primary
Key”. This key ensures that a database record can be indexed and maintained properly.
The Primary Key cannot be modified and permanently identifies a single record. An
additional table containing a link to the voter record Primary Key, the public/private key,
and the candidate barcodes could be linked to the existing set of records. This would
ensure that the Primary Key of the existing table matches the Primary Key within the
barcode table. It would also ensure that every existing voter record would have a single
and permanently linked record in the barcode database.

The following describes a proposed method of implementing the two-dimensional

barcode system.

1. There is a “cut-off” date of when Presidential candidate names must be submitted.

After that date, there will be a known and unchangeable number of possible candidates
that would normally be listed on a standard paper ballot. That number will define how
many split-keys will be generated. In this example, we will continue with six candidates
with an ability for a “write-in” candidate (seven choices). This could e described as the
“Split-Key Calculation Date”.

2. For each County Board of Elections, one set of public/private keys must be generated
for each registered voter. Again, this does not require any additional software cost
and the software to generate these keys is completely open-source. A single
public/private key pair will then be assigned to a single registered voter. This
information would be contained within a separate database table of records. Once the
key pair is generated, each private key would be sent through the SSSS program to
effectively provide seven equal “split-keys”. Each split-key would be randomly placed
into a database column matching a candidate choice. Each barcode table record
would essentially contain the following: One primary key matching a registered voter,
one assigned public key, one assigned private key, seven fields (one for each split-
key), and an empty field that would contain the result of the returned ballot.

3. Prior to Election Day, the barcode database table should be exported and distributed
to the general public. Again, the table would not contain any voter information, and it
would be impossible to determine before all the ballots were scanned which split-key
corresponds to which candidate. By having the database table distributed, it would
negate any claims that the barcode data was altered after voting had started. Once
the barcode database table is distributed, it is essentially “locked in place”. If it was
altered, a bad actor would need to additionally alter every other copy of the data that
had been previously distributed. Even then, the bad actor would not know which
sticker the voter would choose to place on the ballot.

4. On Election Day, the ballots can be presented in-person at a polling location. The poll
worker would hand the voter the ballot and a sealed envelope. The envelope would
contain the sheet of stickers, and the Split-Key Signature Confirmation Page. The

12
 sheet of stickers and confirmation page must be inside a sealed envelope. This
system could also work by mail, providing a voter with the same exact paperwork listed
above. A bad actor could not alter the ballot unless they have a copy of the sticker
sheet given to each voter. A hologram or watermark on each sticker would prevent
this type of tampering. Even if a bad actor were to replace a sticker, the voter could
cross-check their vote against their Split-Key Signature Confirmation Page once the
election results are made public.

5. The completed ballots would be scanned and recorded easily using inexpensive 2D
barcode scanners, and without any knowledge of which candidate was chosen. During
the ballot scanning process, it is highly suggested that additional data, such as the
location of where the ballot was scanned, and possibly a unique code that identifies
the election worker or the automatic scanning machine be appended to the record. An
example of a single scanned ballot record entry on the following page:

13
By utilizing this method, verification models can be easily viewed, without releasing the
private information of the voter, or the vote itself. The voter, if desired, can at any point
after the ballots were cast, independently verify that their vote was processed correctly
and accurately. Using a smart phone, the public key can be scanned instead of typing in
the long string of characters. The split-key can also be scanned by a smart phone
camera.

If duplicate ballots were generated by a bad actor, it would be quickly determined during
the scanning process. If a ballot was submitted that contained the same Public Key as a
previous ballot, an investigation can take place based on the location of where the ballots
were scanned, the operator, and the date/time stamp of each scanning. It is highly
recommended that the Official Ballot Form be stored either as a hard copy or a digital
copy in the case an investigation is required.

14
6. The resulting choice from the sticker would be matched against the split-key in the
database. Once confirmed, the split-key would be recorded within the database table
as the voter’s choice.

7. Once tabulated and certified, the database table can be made public for all to view.
Every voter can and should independently verify that their vote was recorded and
recorded correctly. Any anomalies would be evident as voters cross-checked and
validated their entry.

Conclusion:

OSEVS provides a layer of security, anonymity, integrity, and an independent ballot

verification process. No human eyes could determine the candidate chosen on a
submitted ballot using this system. A voter can independently verify that the submitted
vote was accepted almost immediately. They can also verify that their chosen candidate
matches their selection as a public record while the selection remains completely private
to the individual voter. This method eliminates the human element of viewing ballots and
manual submission due to computer failure. Election results would be revealed in real-
time, due to the speed and accuracy of current 2D barcode scanning technology.

This method relies on no centralized system, there is no licensing cost, and no

royalty payments. It is based on a proven unique public/private key assignment, and all
the software code described can be reviewed and is owned by no person or corporation.
The implementation internally would be the simple addition of a database table to the list
of verified voters and could be achieved at a minimal cost. We owe it to the public to
advance a provably fair, accurate, and efficient method of electing our leaders.

I, as the author of this document, wish to have my identity remain private. I am an

American citizen and registered voter. I do not work for any corporation, and I am not
submitting this on behalf of any political party, social media platform, or business entity.
I am the sole author of this document.

15