At election time, the registered and suitably identified voter arrives at an election booth. We don't discuss improvements in voter registration and identification, since it's outside of the scope of this story.
Just before voting, the voter is assigned a UID (Unique ID) by the voting machine. The UID is simply 512-bit random number that's designed to be unique across all voters. It does not, in any way, identify the actual voter. It is only used once for one election. Random numbers are chosen using a respected, highly secure system.
The voter then casts his vote. The machine encodes all of the voters' preferences in a standardized format. Along with the vote, the system includes the UID assigned to the voter.
Public key cryptography is used to provide superior security assurances. The machine uses the "public keys" of, for example, a dozen "audit servers" to encrypt this information. This type of information could not be easily tampered with or forged. Assuming proper cryptography is used, it would take a million machines more than a million years to forge even one vote for one audit server. This technology is not expensive. OpenSSL and GnuPG are excellent, free public key cryptography systems capable of producing this level of military-grade encrypted information.
This information is then transmitted to each of the audit servers. Remember, each audit server has its own public key. So a forger would have to compromise each of the audit servers to forge a single vote. Each audit server is run by a separate organization, not by a centralized committee.
Although an open-source system would be required, these organizations would be encouraged to develop their own audit server software and hardware in accordance with the standardized protocol. Candidate organizations would be chosen based on their ability to provide a secure environment, and reliable communications. These organizations would also need to be geographically separated, in the event of a disaster.
Finally, the machine prints out a card with the voter's UID, encrypted using the voter's PIN, chosen at the time of the vote.
At the end of the election, the results at each audit server must be nearly identical to all of the others - or the election is invalid. Error is allowed only if it doesn't affect the outcome of the election.
Finally, each voter may log on to the election system, at a library for example, or at any terminal with a card reader, and verify that his vote was accurately recorded at each of the audit servers. Again, the verification protocol is open, secure, and various competing implementations would ensure that no one organization produces the software.
There is no way, barring an extremely improbable brute force attack, that a voter's choices can be revealed to anyone but the voter himself. The only way to divine a voter's choices would be to spy on the voting booths, or steal a card and crack the password. Again, if military-grade cryptography is used, it would take millions of years to spy on a single vote in this manner.
A voter may, at the time of the vote, press a "duress vote" button on the machine. In that case, the vote is not counted, but it receives a card, can be verified and will seem otherwise to be a valid vote in every respect. Vote counts are stored separately, and duress flags are deleted after used. A voter can thus vote as many times as needed at a booth, obtaining as many "false votes" as desired. This effectively defeats the possibility of blackmail or bribery.
If a voter notices a fraudulent vote, then a change request may be filed. If there are enough change requests to modify the results of an election, then the requests will be honored. However only those voters who filed a change request will be allowed to recast.
For the voter, the only difference is a little card that he gets to verify his vote.
An alternate vote verification system may be used, depending on the nature of the election. This system would not require a duress button.
A secure hash of the vote and the PIN is used to produce a number. This number is used in an index of common, easy to remember words, like "apple" or "banana". In this alternate system, the audit server records, only, the UID and the word together in a database. The vote is never associated with the ID. The voter remembers this word, in addition to his PIN.
The voter can then verify his vote at any time by requesting that any audit server produce the word associated with his UID and PIN.
In this case, the UID on the card need not be encrypted at all, since it is stored alongside a meaningless word. It can even be, simply, the name of the voter.
This is a much cleaner system, however it requires a voter to remember both a PIN and a word.