Bilateral tier separation between voter identity and ballot content. No party can unilaterally reconstruct any voter-ballot pair. A vote counted twice and never linked once.
Elena casts her ballot. Two things happen simultaneously: the ballot is registered against her voter identity (proving she voted exactly once), and the ballot content enters the count. These two events use structurally independent key tiers.
No single party holds both tier keys. The election authority holds the identity tier. The count observer holds the ballot content tier. Neither can read the other's tier. Neither can link Elena's identity to her specific ballot choice. Even if both parties colluded and combined their records, the structure prevents reconstruction.
The count is independently verifiable. The voter-ballot linkage is structurally impossible. Both properties hold simultaneously, not as a policy compromise but as a mathematical property of the envelope architecture.
National elections, state referendums, union ballots, shareholder votes, board elections — any democratic process where simultaneous verifiability and ballot secrecy are legal or ethical requirements.
ABT-V uses Ed25519 digital signatures for authentication of every event at every party. Per-event symmetric keys are derived via HKDF with the event identifier as salt and held in hardware-backed secure storage (Apple iOS Keychain, Android Keystore, or equivalent platform secure-storage). Envelope encryption is performed at the first-party endpoint before any ciphertext leaves the device or origin. Each tier authority’s ciphertext contains only that tier’s authored projection — information not relevant to a tier authority is authored out before encryption, not redacted after. The registry maintains a hash-chained log where each entry’s hash includes the prior entry’s hash, providing tamper-evident integrity across the chain. Forward-only tier activation: registration of a new tier authority causes inclusion of an active tier layer in subsequent envelopes only. Existing envelopes are not retroactively modified. Cryptographic boundary at the first party. Plaintext never moves. Per-tier projection authored at envelope construction. Registry-routed restoration requires structural participation by all three parties.
Cryptography researchers studying envelope encryption, tier-bounded ciphertext, deterministic key derivation, and signed receipt chains in electoral integrity infrastructure.
Privacy researchers studying architectural privacy enforcement, unlinkability, purpose limitation, retention through cessation, and consumer-controlled key custody.
Consumer protection advocates seeking architectural alternatives to policy-based privacy enforcement. Cryptographic structural enforcement, not vendor trust.
Policy researchers examining cryptographic enforcement of storage limitation (GDPR Article 5(1)(e)), data minimization (GDPR Article 5(1)(c)), and consumer protection requirements.
Election security researchers studying voter privacy, ballot secrecy, voter-ballot unlinkability, end-to-end verifiable elections, integrity-vs-anonymity trade-offs, and cryptographic election audit trails. Election officials evaluating cryptographic alternatives to policy-based ballot privacy.
