Ballot Image Security: Why Election Scanners Should Be Doing More

The technology exists, but it seems election equipment is left purposefully vulnerable!

Election security depends on verifiable records, yet many of today’s voting systems lack even the most basic cryptographic protections that are standard in other industries. One of the simplest yet most effective methods for ensuring the integrity of digital records is cryptographic hashing—but the way it is currently (or isn’t) used in election systems leaves major gaps in security.

This post will examine how ballot scanners should be securing election data, why today’s systems fall short, and how cryptographic techniques that are widely used elsewhere could greatly improve the transparency and security of our elections.

The Role of SHA256 Hashes in Election Security

A SHA256 hash¹ is a digital fingerprint of a file, such as a ballot image. If a single pixel in the image changes, the hash is completely different, making it a useful tool for verifying that images have not been altered². These hashes are the core technology behind all cryptographic mechanisms, BitCoin, etc. ³

A common suggestion is that ballot scanners should generate SHA256 hashes at the time of scanning ballots to create ballot images and store the hashes securely. This would allow post-election audits to verify that images have not been tampered with.

However, if the hash is stored alongside the image without additional protections, it can be replaced just as easily as the image itself. This makes it nearly useless for actual security.

Election Scanners and Cryptographic Security Standards

Ballot scanners used in U.S. elections must comply with FIPS 140-2, a federal standard that sets minimum cryptographic security requirements, published a long time ago, in 2001. Unfortunately, this standard was not implemented fully but a weakened form was allowed in voting systems as they allow private/public key generation in software rather than requiring true hardware-based key generation.

The result? While FIPS 140-2 does require a hardware security module,⁴ the cryptographic protections in election equipment are often weaker than one would expect, because they allow the use of software to generate the keys, meaning the private key can be more easily captured and used in malicious hacks.

How Manufacturers Have Avoided Strong Cryptographic Protections

• Most election scanners do not generate even an unsigned SHA256 hash for ballot images. The only exception I have seen is Dominion machines, which sometimes create .SHA files—but these are not signed, meaning they are nearly worthless for real security purposes.

• Manufacturers continue to release new election systems under outdated security rules rather than adopting modern standards. The Voluntary Voting System Guidelines (VVSG) 2.0 include some improvements, but most manufacturers still build under VVSG 1.1, which does not require adequate cryptographic protections.

• Even VVSG 2.0, which is rarely implemented, does not go far enough to require true digital signatures for ballot images.

A Better Approach: Digital Signatures on Hashes

Instead of simply generating SHA256 hashes and storing them alongside images, ballot scanners should be signing the hashes using cryptographic key pairs, per FIPS 140-2.

A secure approach would work as follows:

1. Each scanner has a unique private/public key pair, generated before an election.

2. The private key is generated and stored securely inside a cryptographic chip⁵, using a truly random noise source so that the private key is unknown even to election staff.

3. As each ballot is scanned:

   • A SHA256 hash of the ballot image is generated.

   • The hash is signed with the scanner’s private key.

4. The public key for each scanner is published before the election, allowing anyone to verify signed hashes later.

5. The signed hashes are stored securely, separate from the ballot images themselves.

This prevents tampering in two key ways:

1. Ballot images cannot be altered or replaced without detection. Even if an attacker modifies an image and generates a new hash, they cannot forge the scanner’s digital signature without access to its private key.

2. Ballots cannot be added or removed without detection. If scanners sign an aggregate hash of all ballots in a batch, any attempt to insert or remove ballots would break the cryptographic chain.

Why True Hardware-Based Key Generation Matters

Modern security chips—such as those used in banking, military systems, and secure authentication devices—generate their private keys internally using hardware-based entropy sources. These true random number generators (TRNGs) ensure that the private key:

• Never leaves the chip, making it impossible for anyone, including election officials or vendors, to extract it.

• Is unpredictable and resistant to attacks, unlike software-generated keys, which can be compromised if the system is infiltrated.

• Is stored in tamper-resistant hardware, meaning that even if someone physically accesses the scanner, they cannot retrieve the key.

This is a standard security measure in industries that require strong cryptographic guarantees, yet it is completely absent from election scanners today.

A Missed Opportunity: VVSG 2.0 and the E2E Voting Distraction

One of the more surprising aspects of VVSG 2.0 is that, while it failed to require simple cryptographic protections like digital signatures for ballot images, it did include extensive provisions for End-to-End Verified (E2E-V) voting.

E2EV is an idea promoted by some very smart PhDs and heavily backed by Microsoft⁶, DARPA, and other research institutions. The concept is that every step of the election process—from ballot casting to tabulation—should be cryptographically verifiable. While this sounds promising, its practical implementation is deeply flawed.

Most E2EV systems rely on touchscreen-based voting, where votes are encrypted using homomorphic encryption. This type of encryption allows mathematical operations to be performed directly on encrypted data—meaning votes can be summed while remaining encrypted. In theory, this prevents tampering while maintaining voter privacy.

However, in practice, E2EV is an unscalable, impractical system:

1. Computational Overhead: Homomorphic encryption is extremely inefficient. A single vote balloons in size by 4096x, making large-scale elections computationally infeasible, and implementing the proofs required at every step causes the system to be impractical, and never have they demonstrated it at scale of at least 500K ballots in a district, but rather only for small jurisdictions.

2. Voter Acceptance: Voters prefer hand-marked paper ballots over electronic voting systems. Touchscreen-based voting has been widely rejected due to security concerns and distrust, as it is difficult for voters to verify that their vote has been accepted correctly.

3. Privacy Risks: While the encryption prevents tampering, it does not prevent insider threats. If election workers or attackers compromise the system, they can still decrypt individual votes and determine how all specific voters cast their ballots.

In my opinion, E2EV is a “cheeseless rathole”—a technically interesting but completely impractical system for real-world elections. Worse, while VVSG 2.0 spent significant effort outlining E2EV provisions, it ignored basic cryptographic security that could have been deployed immediately.

Instead of chasing an unworkable encryption-heavy voting model, election security should start with fundamentals: digital signatures on ballot images, cryptographic hashing, and hardware-backed key management—all of which are scalable, proven, and already widely used in cybersecurity.

Conclusion: The Need for Immediate Action

Right now, the security of ballot images is left almost entirely to procedural controls, rather than cryptographic protections. This leaves room for potential manipulation and makes it impossible to independently verify that ballot images have not been modified.

By implementing digital signatures at the scanner level—using true hardware-based key generation—election officials could ensure that ballot images are tamper-proof and that election records are truly immutable.

This is not theoretical or difficult to implement—industries like finance and cloud computing use these security measures every day to protect critical data.

So why aren’t election scanner manufacturers implementing these protections?

It’s time to start asking them.

Contact your representative today and ask them to improve election machine security. We know how.

Previous Post: USB Hacker Tool Could Change Virtually Any Election Results
Next Post: Election Audits in NC: Improvement needed!
All Posts: https://substack.com/@raylutz/posts

1

The designation SHA256 refers to a specific “secure hash algorithm” with 256 bits. There are other algorithms and key lengths. I use this term here because the SHA256 hash has adequate security for this application without intending to say that it is the only solution.

2

See this explainer video “How does SHA-256 work?”

3

https://medium.com/@krishnabhdas3/what-is-sha-295047ec6b25

4

https://en.wikipedia.org/wiki/Hardware_security_module

5

Here is an example of such a chip, which is about the size of a pea, and costs only about $1. So the idea that this is somehow too hard to include in election equipment makes no sense. There are many other variations on this, I just picked one that was roughly what was needed.
https://ww1.microchip.com/downloads/en/DeviceDoc/Atmel-8857-CryptoComp-AT88SC118-Datasheet.pdf

6

See “ElectionGuard” https://www.electionguard.vote/

Comments

[Collins]

https://www.brennancenter.org/our-work/research-reports/project-2025-would-fuel-assault-election-officials

[Y eYe I]

                                                🥳

                                      JAIL THEM ALL:

https://youtube.com/watch?v=gXxRoUByctg&si=c1RgYM07MWdyz9K5

https://www.dropbox.com/scl/fi/cnfhgispz8ldgzubdh6a0/2024-USA-ELECTION-FRAUD-PRESIDENCY.pdf?rlkey=epj05do03qhflx5v0tbfinlmf&dl=0