After election officials verify voter eligibility via whichever method they choose, they dispense, via whichever method they choose, a folded, sealed, tamper-evident paper ballot (containing a hidden printed Ballot ID# and a hidden Ballot Private Key QR Code) to the voter.   

• Election officials can dispense ballots in-person by hand, via Ballot Vending Machines at polling stations, and/or via mail.
• The Ballot Vending Machines provide an added layer of security to voter anonymity because election officials do not know which ballot a voter will select from a vending machine, nor do they know which vending machine a voter will choose.  
• To dispense ballots via Ballot Vending Machines (located in polling stations), election officials can dispense a ballot token (identical to all other tokens) that enables the voter to select a ballot from a Ballot Vending Machine.    
• The folded, sealed, tamper-evident paper ballot enables a voter to ensure that 1) no one else knows which Ballot ID# the voter received and 2) the Ballot Private Key has not been compromised.
• The hidden Ballot ID# enables the voter to use it and a blockchain explorer to verify their ballot data has been added to the independent stakeholder blockchains.
• The hidden Ballot Private Key QR Code enables a digital signature to be applied to a scanned datafile of the ballot so that the public and recipient blockchains can verify the integrity of the scanned-ballot datafile using the corresponding pre-election-published Ballot Public Key.
• The hidden Ballot Private Key is printed in invisible ink in the form a QR Code to thwart any bad actor voters who seek to copy the Ballot Private Key, which would be a pointless effort because the repeated use of a Ballot Private Key to cast a different ballot would be detected and invalidate both cast ballots.

The voter enters a private space or voting booth to open and fill out the paper ballot.

• Optionally, the voter writes down the Ballot ID# if the voter wants to verify their ballot was added to the stakeholder blockchains. 
• The voter has plausible deniability about which Ballot ID# they cast because the voter can claim that their Ballot ID# is any Ballot ID# cast onto the blockchain around the same time as theirs from the same polling station, which would obfuscate bad actor efforts to verify which ballots were cast by which voters when seeking to buy or coerce votes. 

At a polling station, the voter (or an election official) feeds the marked paper ballot into a Ballot-Casting Automated Teller Machine (ATM), which contains a Ballot-Scanner-Set Assembly with multiple independent-stakeholder scanners (each with a unidirectional data diode) that can each separately apply a stakeholder-scanner digital signature to each scanned-ballot datafile as well as a paper ballot digital signature (that can each be verified by the public using the corresponding  pre-election-published Stakeholder Scanner Public Key and Paper Ballot Public Key).

• Each stakeholder contributes a transmitting scanner (with a unidirectional data diode) that transmits scanned-ballot datafiles to all the independent-stakeholder blockchains. 
• The unidirectional data diode on each stakeholder transmitting scanner only permits data to exit, not enter the scanner, in order to physically prevent malware from entering the transmitting scanner from the internet.
• Each stakeholder contributes a receiving scanner (with a unidirectional data diode) that receives confirmation from each independent-stakeholder blockchain when a scanned-ballot datafile has been validated and added to a blockchain.
• The unidirectional data diode on each stakeholder receiving scanner only permits data to enter, not exit the scanner, in order to 1) physically prevent the scanner (which  could become infected with malware from the internet) from transmitting a falsified scanned-ballot datafile to the blockchains and 2) prevent hackers from getting needed feedback on any malware they attempt to send to the scanners.

Each independent-stakeholder scanner (within the Scanner-Set Assembly inside the Ballot-Casting ATM) independently transmits the scanned-ballot datafile with a digital signature from the Ballot Private Key, a digital signature from the stakeholder Scanner Private Key, and a scanner-generated Cryptographic Puzzle to all participating independent-stakeholder Ballot Blockchains, which are each independently centrally controlled by a stakeholder.

• The ballot digital signature and the scanner digital signature on the scanned-ballot datafile enable the public and the blockchains to verify the integrity of each scanned-ballot datafile using the corresponding pre-election-published Ballot Public Key and Scanner Public Key.
• The scanner-generated cryptographic puzzle serves as a deterrent to bad actors who want to censor/withhold the scanned-ballot datafile from the blockchains.  The cryptographic puzzle forces bad actors to expend resources/time/money to solve the cryptographic puzzle to determine if the contents of the scanned-ballot datafile meet their criteria for censorship.

A shredder (within the Scanner-Set Assembly inside the ATM) shreds the Ballot Private Key off the paper ballot.  

Doing so makes it impossible to re-cast an altered or unaltered marked-paper ballot onto the blockchains because the blockchains will reject any datafile that lacks a valid ballot digital signature (and a valid scanner digital signature) if the blockchains are running valid blockchain builder/validator software.

Each independent-stakeholder Ballot Blockchain uses the same validation protocol to add a scanned-ballot datafile to its blockchain.  

(A member of the public can use the same validation protocol to build a duplicate ballot blockchain and then compare it against the stakeholder ballot blockchains using a blockchain explorer designed to compare them.)  

The validation protocol used to add a new scanned-ballot datafile to a ballot blockchain requires that the scanned-ballot datafile:

• has a valid ballot ID# (that is on the pre-election-published “Ballot ID# & Corresponding Ballot Public Key List”), 
• has a valid corresponding ballot digital signature (which is confirmed using the pre-election-published “Ballot ID & Corresponding Ballot Public Key List” ), 
• has a valid scanner digital signature (which is confirmed using the pre-election-published “Stakeholder Scanner Public Key List”), and 
• passes a data-match check, using the designated open-source cryptographic hash function to show the ballot-image hash was created with the designated open-source cryptographic hash function.

Each stakeholder blockchain likely stores the scanned-ballot datafiles in different sequences (based on their differing travel paths and speed over the internet from the scanners to the stakeholder blockchains), but the count of scanned-ballot datafiles on the blockchains will be identical if all the blockchains store all the scanned-ballot datafiles.  

If a stakeholder tries to censor opposing ballots by not transmitting them (from their scanners or from internet nodes on the internet paths of the ballot datafiles) to the blockchains) or by not publishing/adding them on their own blockchain, that is likely a futile effort for the following reasons:

• The competing stakeholder’s scanners will likely transmit their own scans of the ballots and add/publish them to their own stakeholder blockchain, where they can be validated by the public with the corresponding Ballot Public Keys and Scanner Public Keys.  
• The censoring stakeholder blockchain will not be used in isolation to count the votes.  The other competing stakeholder blockchains will also be used to count the votes. 
• The censorship of the censoring stakeholder blockchain will be apparent publicly, which is a deterrent because a competing stakeholder is seeking legitimacy in winning an election. 
• The blockchain explorer vote-counting software is only looking for unanimous agreement among the validated blockchain-posted ballot datafiles for a given Ballot ID#, so the absence of one stakeholder-scanner’s ballot datafile from the blockchains will not prevent the other stakeholder-scanners’ ballot datafiles of the same Ballot ID# from being counted by the blockchain explorer software. This rule prevents a stakeholder from causing opposing ballots to be discounted by withholding their own scanner’s copy of them.
• The only way a Ballot ID# will be discounted from the blockchain explorer’s vote-count is if there is not unanimous agreement from all the validated blockchain-posted ballot datafiles for that particular Ballot ID#.  
• --Thus, there must be a validated scanned-ballot datafile with information that conflicts with another validated scanned-ballot datafile with the same Ballot ID# in order to discount that Ballot ID#.  
• --Then, the paper ballots of any discounted Ballot ID#s (without unanimous agreement among the stakeholder scanner-signed datafiles) can be hand-counted if they exceed the number sufficient to overturn the election results.

The Ballot-Casting ATM flashes a green light if it received confirmation that the scanned-ballot datafile was added to a stakeholder blockchain or a red light if not, and then drops the paper ballot into a corresponding transparent green or red plastic box inside the clear plastic ATM machine. 

• If the green light doesn’t flash within 30 seconds, then the voter can report it to election officials in Step 9 (without giving the Ballot ID# or their name), and 
• if the total number of such reports exceeds the number of votes required to overturn the election results, then a hand count and audit of paper ballots is conducted.

The voter can use their privately viewed Ballot ID# (optionally written down inside their private voting space) and a blockchain explorer on a government computer or a personal mobile device to lookup their ballot data on the Stakeholder Ballot Blockchains.  

Meanwhile, bad actors seeking to buy or coerce votes can’t verify which ballot the voter cast  because the voter's Ballot ID# could be any Ballot ID# cast onto the blockchain around the same time at the same polling station.

If voters are unable to find their ballot data on the blockchains or they find their ballot data has been altered, then voters can verbally inform an  election official who keeps a paper tally of such reports (that doesn’t identify the voter).  

If the total number of such reports exceeds the number of votes required to overturn the election results, then a hand count and audit of paper ballots is conducted.

A blockchain explorer provides a live report (throughout the vote casting and counting process) with the following information pulled from all the stakeholder blockchains:

1) Tallies of votes for each candidate (from all the validated, blockchain-posted scanned-ballot datafiles for a given Ballot ID# that have unanimous agreement on their data across all stakeholder blockchains). 

• The criteria to count a ballot (and it’s vote(s)) is unanimous agreement among all the stakeholder-scanner-signed, paper-ballot singed, validated, blockchain-posted scanned-ballot datafiles for a given Ballot ID# across all stakeholder blockchains.  

2) The total number of ballots that would be required to overturn the election results.

3) A tally and list of every Ballot ID# that lacks unanimous agreement among its stakeholder-scanner-singed, blockchain-posted, validated scanned-ballot datafiles (and are thus excluded from the automatic vote tallies).  

• The list indicates which scanned-ballot datafiles are invalid (lack a valid Scanner Public Key or a valid Ballot Publick Key), which cannot happen if a blockchain is using valid Ballot Blockchain Builder Software/validation protocol.)
• The list specifies which scanned-ballot datafiles are on which stakeholder blockchains. 
• The list is sequenced by Ballot ID#.

4) A tally and list of every Ballot ID# that has unanimous agreement among its stakeholder-scanner-singed, blockchain-posted, validated scanned-ballot datafiles (and are thus included in the automatic vote tallies).

• The list specifies which scanned-ballot datafiles are on which stakeholder blockchains.
• The list is sequenced by Ballot ID#.

5) A tally and list of every Ballot ID# that is missing from each blockchain. 

• The list is grouped by stakeholder blockchain and sequenced by Ballot ID#. 
• The list enables the public to see if any stakeholder blockchains appear to be censoring ballots.
• The list enables stakeholders to add any ballots that are missing on their own blockchain yet published on the other competing stakeholder blockchains.
• The list enables the public to see how many ballots have not been cast onto any stakeholder blockchains.

6) A tally and sequential list of all Ballot ID#s and their corresponding validated stakeholder-scanned-ballot datafiles that are published on each Stakeholder Ballot Blockchain 

• The list specifies which pre-election-published Paper Ballot Public Key was used to validate each scanned-ballot datafile.
• The list specifies which pre-election-published Stakeholder-Scanner Public Key was used to validate each scanned-ballot datafile. 
• The list specifies which Stakeholder Ballot Blockchain recorded each scanned-ballot datafile.

7) A tally and sequential list of which Ballot ID#s were cast from which geographic locations based on their scanner digital signatures and the pre-election published list of stakeholder scanners, their Scanner Public Keys, and their assigned locations.

1. Folded, sealed, tamper-evident paper ballots, containing a hidden Ballot ID# and a hidden Ballot Private Key QR Code (printed in invisible ink that is readable by the scanner device).

There’s no software linking a voter to a ballot, and election officials can’t see the Ballot ID#s or track which voters get which Ballot ID#s—as long as the seal on the folded, sealed, tamper-evident paper ballot has not been broken.

• Batches of sequentially numbered ballots are shuffled, given batch numbers, and assigned to specified polling stations, all of which (batch numbers, corresponding Ballot ID#s, and corresponding polling stations) are publicly published before the election.
• The batch numbers enable anyone to identify the source of any compromised ballots.
• The shuffling of the ballots within a batch prevents election officials from knowing which voters got which Ballot ID#s, as long as the seal on the folded, sealed, tamper-evident paper ballot has not been broken—which thwarts bad-actor efforts to buy or coerce votes.

Additionally, the voter has plausible deniability about which Ballot ID# they cast because the voter can claim that their Ballot ID# is any Ballot ID# cast onto the blockchain around the same time as theirs from the same polling station, which would obfuscate bad actor efforts to verify which ballots were cast by which voters when seeking to buy or coerce votes.

2. Optional use of Ballot Vending Machines

Instead of an election official selecting which folded, sealed, tamper-evident paper ballot to give to a voter, the voter selects a ballot from one of multiple Ballot Vending Machines, so election officials can’t know which ballot the voter will get. 

3. Public display of all cast scanned-ballot datafiles on the independent stakeholder blockchains.  

• The public display of all cast scanned-ballot datafiles on the independent stakeholder blockchains obfuscates bad actor efforts to verify which ballots were cast by which voters because a given voter’s Ballot ID# could be any Ballot ID# cast onto the blockchain around the same time from the same polling station—thereby giving voters plausible deniability about which ballot they cast.
• Voters can easily search the Live Blockchain Vote Tallies Report for ballots cast at their polling station within in a specified timeframe.

4. A hidden Ballot ID# and a hidden Ballot Private Key QR Code (printed in invisible ink that is readable by the scanner device) inside a folded, sealed, tamper-evident paper ballot.

The paper ballot provides a tamper-evident auditable trail.  

• The paper ballots can be compared to the scanned-ballot datafiles stored on the stakeholder blockchains.
• If paper ballots were not used, then a whole new election would be needed (requiring voters to re-cast their ballots) if the scanned ballot datafiles or blockchains were compromised.  

The hidden Ballot ID# enables each voter to verify the integrity of their cast scanned-ballot datafile by using a blockchain explorer (search engine) and their Ballot ID# to look up their scanned-ballot datafile on the stakeholder blockchains.  

• If Ballot ID#s were not used, then voters would not be able to verify the integrity of their scanned-ballot datafiles on the blockchains.
• Reminder: The voter has plausible deniability about which Ballot ID# they cast because the voter can claim that their Ballot ID# is any Ballot ID# cast onto the blockchain around the same time as theirs from the same polling station, which would obfuscate bad actor efforts to verify which ballots were cast by which voters when seeking to buy or coerce votes.

The hidden Ballot Private Key QR Code (printed in invisible ink that is readable by the scanner device) guards against unauthorized use of the Ballot Private Key to cast a counterfeit ballot(s).

• Enables anyone with the corresponding pre-election-published Ballot Public Key  to verify the integrity and authenticity of the scanned-ballot datafile. 
• If the Ballot Private Key was not hidden in a tamper-evident way and printed as a QR Code in invisible ink (that is readable by the scanner device), then a bad actor/voter could for example write down or take a picture of the Ballot Private Key to try to cast multiple counterfeit scanned-ballot datafiles to try to overwhelm a blockchain network. 

5. Ballot Private Key (part of a public-private key pair)—printed as a QR Code in invisible ink (readable by the scanner device) and hidden in a folded, sealed, tamper-evident paper ballot.

• Creates and applies a ballot digital signature to the scanned-ballot datafile.
• Enables anyone with the corresponding pre-election-published Ballot Public Key to verify whether the ballot digital signature on the scanned-ballot datafile is valid,  thereby confirming the integrity and authenticity of the scanned-ballot datafile. 
• If a Ballot Private Key were not used while a Scanner Private Key was used, then bad actors could steal a stakeholder scanner or it’s private key to create and transmit counterfeit ballot datafiles to the blockchain database network. 
• If neither a Ballot Private Key nor a Scanner Private Key were used, then bad actors could create and transmit counterfeit scanned-ballot datafiles to the blockchain database network and the counterfeits would not necessarily be detectible.

6. Stakeholder-Scanner Private Key  (part of a public-private key pair)—on a stakeholder scanner.

• Creates and applies a stakeholder-scanner digital signature to each scanned-ballot datafile. 
• Enables anyone with the corresponding pre-election-published Scanner Public Key  to verify whether the scanner digital signature for the scanned-ballot datafile is valid,  thereby confirming the integrity and authenticity of the scanned-ballot datafile.  
• If a Scanner Private Key were not used while a Ballot Private Key was used, then bad actors could steal valid paper ballots and transmit scanned datafiles of them from any device to the blockchain database network. 
• If neither a Scanner Private Key nor a Ballot Private Key were used, then bad actors could create and transmit counterfeit ballot datafiles to the blockchain database network and the counterfeits would not necessarily be detectible. 

7. Cryptographic Puzzle—from a stakeholder scanner.

• Conceals the content of the scanned-ballot datafile during transit over the internet (from the stakeholder scanners to the stakeholder blockchains) by requiring anyone who wants to read the ballot datafile to expend computing power and time to solve the cryptographic puzzle in order to open the datafile.
• If a cryptographic puzzle were not used, then bad actors could easily censor/block scanned-ballot datafiles without needing to expend time and resources to solve the cryptographic puzzle to find out if the ballot meets their censorship criteria. 

8. Multiple Independent-Stakeholder Scanners—in a Scanner Set Assembly.

• Creates the ability to automatically determine whether the independent-stakeholder scanners have unanimous agreement on a given Ballot ID #’s scanned-ballot datafiles.
• Creates the ability to help recognize if an independent-stakeholder scanner is censoring any of its own scanned-ballot datafiles.
• If multiple independent-stakeholder scanners were not used, then bad actors could corrupt just a single scanner with malware to alter or censor scanned-ballot datafiles, and it would be far more difficult to recognize whether the scanned-ballot datafiles had been corrupted because the scanned-ballot datafiles would need to be manually compared to the paper ballots.   
• The multiple independent  stakeholder scanners neutralize a corrupt stakeholder censoring scanned-ballot datafiles from its own scanner transmissions (while the multiple independent  stakeholder blockchains neutralize a corrupt stakeholder censoring ballots on its own blockchain).  

9. Shredder—in the Scanner Set Assembly.

• Shreds the Ballot Private Key QR Code (printed in invisible ink) after its digital signature is applied to the scanned-ballot datafile. 
• If the shredder were not used, then bad actors could try to use the Ballot Private Key to create and transmit counterfeit scanned-ballot datafiles to the stakeholder blockchains, and although the Ballot ID#s with conflicting  scanned-ballot datafiles would be detectible and discounted from the vote tallies, the extra conflicting datafiles could be used to try to sow discord, force a manual count of paper ballots, and/or overwhelm the blockchain network. 

10. Multiple Independent-Stakeholder Blockchains—in the network of cooperating blockchains.

Store cryptographically verified copies of all scanned-ballot datafiles from all the independent-stakeholder scanners.  

Each stakeholder blockchain likely stores the scanned-ballot datafiles in different sequences (based on their differing travel paths and speed over the internet from the scanners to the stakeholder blockchains), but the count of scanned-ballot datafiles on the blockchains will be identical if all the blockchains store all the scanned-ballot datafiles.  

• And even if a  stakeholder blockchain is missing all or some of a Ballot ID#s scanned-ballot datafiles from the various stakeholders, that does not cause the Ballot ID# to be discounted from the vote tallies as long as just one of the other stakeholder blockchains has a cryptographically verified copy of the Ballot ID#s scanned-ballot datafile.  
• Thus, a stakeholder cannot force a ballot to be discounted by withholding the ballot’s scanned datafiles from its own blockchain because a Ballot ID# will only be discounted from the vote tallies if one of its stakeholder scanned-ballot datafiles is conflicting rather than missing on any of the blockchains.
• The multiple independent  stakeholder blockchains neutralize a corrupt stakeholder that is censoring ballots on its own blockchain, while multiple independent-stakeholder scanners neutralize a corrupt stakeholder censoring scanned-ballot datafiles from its own scanner transmissions.

If multiple Stakeholder Operated Blockchains were not used, then bad actors could censor or alter scanned-ballot datafiles via a 51% attack on the single blockchain, and although the tampering would be detectible (via comparison to previous versions of the blockchain), the tampering could be used to sow discord and force a manual count of paper ballots.