A worked example of the VITK/BCTK independent-tier architecture, voter-ballot unlinkability by cryptographic structure, and multi-party reconstruction under judicial authorization in the voting variant of the ABT methodology family.
The ABT-V variant applies the foundational envelope-tier architecture to democratic participation, with the single-precinct federal ballot as the canonical scenario. The variant-specific architectural elements are: independent VITK and BCTK tier keys, such that voter identity and ballot content are encrypted to cryptographically independent tier authorities and cannot be correlated without explicit multi-party reconstruction; a voter-verifiable receipt that allows the voter to confirm their ballot was counted without revealing which ballot is theirs; and judicial-authorization multi-party reconstruction, in which three independent guardians each hold a key shard and unanimous participation is required before a voter-ballot pair can be linked — an event reserved for forensic audit, not routine administration. This memorandum follows a single ballot from casting to tally to contested-election forensic review.
Adeyemi's device holds a persistent voter key registered at enrollment. From it, she derives a per-ballot tokenized key scoped to this election only. Her vote is encrypted to two independent tier keys before leaving her device.
| Actor | Endpoint | Holds |
|---|---|---|
Kamara Adeyemi Voter · first party | Personal device | Persistent voter key vk_adeyemi; derives per-ballot token ballot_c7d9 at casting time |
Millbrook County Board of Elections Tally authority · second party | County election system | BCTK tier key; can decrypt ballot content projection; cannot decrypt voter identity projection |
Process integrity guardian Registry · neutral witness | Independent oversight body | Routes casting events, witnesses hash chain, holds no decryption material for either tier |
The VITK (Voter Identity Tokenization Key) and BCTK (Ballot Content Tokenization Key) are cryptographically independent tier keys. They are not derived from each other. Decrypting the VITK projection reveals who voted. Decrypting the BCTK projection reveals what was voted. Neither projection enables decryption of the other. Correlation requires explicit multi-party reconstruction — a separate event, separately authorized.
The tally authority decrypts the BCTK projection at their endpoint. They see the selections. They do not see, and cannot derive, the voter's identity. The VITK tier is sealed to them at the cryptographic level.
The tally authority adds ballot_c7d9 to the aggregate count. They know: a valid ballot was cast, in precinct 7, for the 2028 general election, with selections on three contests. They do not know, and cannot determine, whose ballot this is.
Double-counting prevention operates through the ballot receipt's uniqueness: each ballot_c7d9 identifier is structurally bound to a single voter registration credential at envelope construction time. Presenting the same ballot twice produces an invalid duplicate entry detectable by the registry without requiring the tally authority to know the voter's identity.
The public tally log is a hash-chained registry record. Adeyemi can verify ballot_c7d9 is present in the log from her device, without revealing her identity to any observer of the log.
The verification is a private computation on Adeyemi's device. She derives ballot_c7d9 from her persistent voter key and the election seed. She checks whether that identifier appears in the public log. The log contains ballot identifiers — not voter identities. An observer watching the verification process sees Adeyemi perform a lookup; they see the receipt identifier; they do not learn from that observation which candidate she voted for.
This is the voter-verifiable receipt mechanism. It proves inclusion without proving content and proves participation without proving identity.
A contested-election proceeding authorizes cryptographic reconstruction of specific challenged ballots. Reconstruction of a voter-ballot pair requires all three process integrity guardians — Warden Osei, Magistrate Petrov, and Registrar Valdes — to participate. No single guardian and no pair can reconstruct unilaterally.
The reconstruction event is witnessed by the registry and entered into the hash-chained log. It requires: a valid judicial authorization, the participation of all three guardians, and a ballot identifier from the authorized audit scope. Each reconstruction event is individually logged — reconstructing ballot_c7d9 does not grant access to ballot_c7d8 or ballot_c7da.
The threshold is 3-of-3, not 2-of-3. A simple majority is insufficient for voter-ballot linkage. The design reflects the gravity of the disclosure: any reconstruction event that links a voter's identity to their ballot choices is a singular forensic event, not an administrative operation.
With all three guardian shards present and judicial authorization confirmed, the process integrity guardian constructs the reconstruction key. The VITK and BCTK tiers are both decryptable for ballot_c7d9 specifically. The result is logged and sealed.
| Guardian | Shard contributed | Signature |
|---|---|---|
Warden Osei Guardian · shard 01 | shard_osei provided | rec_osei_c7d9 |
Magistrate Petrov Guardian · shard 02 | shard_petrov provided | rec_petrov_c7d9 |
Registrar Valdes Guardian · shard 03 | shard_valdes provided | rec_valdes_c7d9 |
Reconstruction reveals the voter-ballot pair for the specific forensic purpose authorized. The election tally is not modified by reconstruction. The reconstruction record — who participated, which ballot, under which authorization — is permanently part of the hash-chained log.
The result of reconstruction is forensic, not administrative. The tally authority cannot use reconstruction output to modify vote counts — reconstruction is a read operation, not a write operation on the tally. The purpose of the contested-election audit is to verify that ballot_c7d9 was validly cast, validly counted, and accurately recorded — not to change the outcome based on who cast it.
After the reconstruction event closes, the voter-ballot linkage exists only in the sealed forensic record and in the guardians' logs. The VITK and BCTK tiers of ballot_c7d9 remain sealed in all other contexts. A subsequent request to reconstruct the same ballot requires a new judicial authorization and a new 3-of-3 guardian participation event.
Cryptographic claim summary. The variant-specific architectural elements claimed in the ABT-V disclosure are: (a) independent VITK and BCTK tier keys constructed at the voter's device such that the two tiers are cryptographically independent and cannot be correlated without explicit reconstruction; (b) voter-verifiable receipt enabling participation confirmation without identity or content disclosure; (c) 3-of-3 guardian multi-party reconstruction under judicial authorization, with each reconstruction event individually scoped and logged; (d) separation of reconstruction from tally modification such that forensic access does not alter the election record; (e) process integrity guardian as hash-chained witness with no decryption capability for either VITK or BCTK tiers. The foundational mechanism — first-party-side encryption, callback-mediated key release, forward-only tier activation, per-tier projection, tamper-evident hash-chained logs — is inherited from the foundational specification.