ThreeBallot is a voting protocol invented by Ron Rivest. ThreeBallot is an end-to-end (E2E) auditable voting system that can in principle be implemented on paper. The goal in its design was to provide some of the benefits of a cryptographic voting system without using cryptographic keys.
It may be difficult for a vote to be both verifiable and anonymous. ThreeBallot attempts to solve this problem by giving each voter three ballots: one verifiable, and two anonymous. The voter chooses which ballot is verifiable and keeps this secret; since the vote-counter does not know, there is a 1/3 chance of being discovered destroying or altering any single ballot. The voter is forced to make two of his three ballots cancel each other out, so that he can only vote once.
The crucial advantages that the ThreeBallot system offers over comparable, ciphered ballots are:
Additional theoretical system goals include:
In the ThreeBallot Voting System voters are given three blank ballots, identical except for a unique identifier that is distinct for each ballot. To vote for a candidate the voter must select that candidate on two of the three ballots. To vote against a candidate (the equivalent of leaving a ballot blank in other systems) the voter must select that candidate on exactly one ballot.
Thus every candidate gets at least one ballot with a mark, and one ballot without a mark; as a result seeing any one ballot does not tell if the voter voted for the candidate or not. While this also means that every candidate gets at least one vote when the three ballots are summed, this constant offset for all the candidates (equal to the number of voters) can be subtracted off the final total of all the ballots.
However, it is imperative that to verify that the voter did not mismark their ballot: no candidate can be left blank on all 3 ballots, and no candidate can be selected on all three ballots.
This requirement means all three ballots must be inserted into a machine to validate this before the 3 ballot vote is cast. Failure to do so would enable a voter to both cast an extra vote for and an extra vote against, allowing voter fraud; by design a for vote cannot be distinguished from an against vote once cast, so this multiple-vote fraud could not be detected until the final tally-verification (and maybe not even then), and it cannot be corrected at that point or even traced to a specific voter.
Typically, the ballots might be co-joined to simplify the marking by the voter, but before they are cast it is imperative that the ballots be separated. Once separated, and combined with other ballots in scrambled order, the true vote is encrypted. For example, consider just the third column ballot for John and Barb above. Each of them has an 'X' but the voter is actually voting for John not Barb. Likewise if you saw just the second column ballot, then it only shows a mark for Bill, but again the over all vote by the three ballots together is actually for John. When all 3 ballots are summed the totals will show 2 marks for John and 1 mark each for Barb and Bill. Subtracting the number of voters, in this case 1, produces 1 vote for John and none for the others.