Bilateral tier separation between voter identity and ballot content. No party can unilaterally reconstruct any voter-ballot pair.
Filed · Patent pending
ABT-V · voting walkthrough
A vote counted twice and never linked once
A concrete voting scenario showing VITK/BCTK independent-tier construction, voter-verifiable receipt without identity disclosure, and 3-of-3 guardian reconstruction under judicial authorization.
Variant of ABT · US Provisional Patent 64/056,353 · Filed May 4, 2026
The tally authority counts the vote. They never see who they are counting for.
Kamara Adeyemi votes at Millbrook precinct 7
Her device holds a persistent voter key registered at enrollment. She derives a per-ballot token scoped to this election. The ballot is encrypted to two independent tier keys — VITK for identity, BCTK for ballot content — before leaving her device.
Voter · Kamara Adeyemi
Casts ballot
vk_adeyemi · persistent voter key
↓ derives per-election token
ballot_c7d9
encrypts to VITK tier: identity
encrypts to BCTK tier: selections
ballot envelope · ballot_c7d9
Tally authority · Millbrook Board
Receives ciphertext
holds BCTK tier key
VITK tier: sealed permanently
cannot see voter identity
VITK and BCTK are cryptographically independent tier keys. Decrypting BCTK reveals what was voted. Decrypting VITK reveals who voted. Neither projection enables decryption of the other. The tally authority holds only BCTK. Correlating voter to ballot requires 3-of-3 guardian reconstruction — a separate event, separately authorized.
Millbrook Board of Elections counts ballot_c7d9 — without seeing Adeyemi's name
The tally authority decrypts the BCTK projection at their endpoint. They see the ballot selections. The VITK tier is sealed to them at the cryptographic level — the tally authority's tier key cannot reach it.
BCTK projection — accessible to tally authority
ballot_idballot_c7d9
precinctMillbrook precinct 7 · 2028 federal general
contest_presidentselection recorded
contest_senateselection recorded
contest_referendum_14selection recorded
voter_identity— sealed in VITK tier —
voter_credential— sealed in VITK tier —
The tally authority knows: a valid ballot arrived, from precinct 7, with 3 contest selections. They do not know whose ballot this is. Double-counting prevention operates through the ballot receipt's structural uniqueness — each ballot_c7d9 is structurally bound to a single voter credential at construction time. Presenting the same ballot twice produces an invalid duplicate entry detectable at the registry.
Adeyemi verifies ballot_c7d9 appears in the public tally log
The tally log is hash-chained and public. Adeyemi derives her receipt from her persistent voter key and confirms it is present. She reveals nothing about the content of her vote to any observer of the verification.
verify_receipt:
input: ballot_c7d9 (derived from vk_adeyemi · election_seed)
lookup: public tally log → entry found at position 3,847
hash_match: ✓
revealed to observer: ballot_c7d9 was counted · no voter identity · no ballot content
Voter-verifiable receipt without identity disclosure. Adeyemi confirms her vote was counted. An observer watching the verification sees a lookup against a public identifier. They cannot determine from that observation who Adeyemi voted for, or even that it was Adeyemi performing the check if she uses an anonymous session. The receipt proves inclusion, not content.
The election is contested — reconstruction requires all three guardians
A contested-election forensic audit is authorized by a court. Reconstruction of any voter-ballot pair requires unanimous participation of three independent guardians. No single guardian and no pair of two can reconstruct unilaterally.
The threshold is 3-of-3, not 2-of-3. A simple majority is insufficient for voter-ballot linkage. Each reconstruction event is individually scoped — linking ballot_c7d9 does not grant access to ballot_c7d8 or any other ballot. The judicial authorization specifies which ballot identifiers are in scope.
The guardians do not hold VITK or BCTK decryption material separately. They hold shards of a reconstruction key whose combination enables the process integrity guardian to derive the necessary material. The tally authority cannot participate in reconstruction. The voter cannot be compelled to participate — the reconstruction key is derived from guardian shards alone.
Three guardians each contribute. Ballot_c7d9 is linked to Adeyemi — once, under witness.
Warden Osei, Magistrate Petrov, and Registrar Valdes each sign their shard contribution. The process integrity guardian constructs the reconstruction key. The voter-ballot pair is decryptable for this specific ballot under this specific authorization.
Warden Osei
guardian · shard 01 · contributed ✓
Magistrate Petrov
guardian · shard 02 · contributed ✓
Registrar Valdes
guardian · shard 03 · contributed ✓
Reconstruction result · ballot_c7d9 · forensic audit
voter_identityKamara Adeyemi · verified
ballot_content3 contest selections decrypted at guardian endpoint
The reconstruction event is logged permanently and cannot be expunged. Future audit of the registry log will show exactly when ballot_c7d9 was reconstructed, under which authorization, and with which guardian signatures. The event itself becomes part of the audit trail.
The forensic event closes. The tally is not changed. The audit record is permanent.
Reconstruction reveals the voter-ballot pair for the forensic purpose authorized. The election tally is not modified by reconstruction. VITK and BCTK tiers remain sealed in all other contexts. A second reconstruction of the same ballot requires a new authorization and new 3-of-3 participation.
The tally holds. Adeyemi's ballot was verified: validly cast, validly counted, accurately recorded in the tally. The forensic audit found no irregularity. The audit record is now permanent — including the identity of the three guardians who participated, the judicial authorization under which they acted, and the hash-chain entry that links it all.
After reconstruction closes, the voter-ballot linkage exists only in the sealed forensic record and the guardians' logs. VITK and BCTK tiers of ballot_c7d9 remain sealed in all other contexts. No party — including the tally authority, the election board, or the court that issued the authorization — holds ongoing access to the voter-ballot link outside the forensic record.