A Modular Voting Architecture (“Frog Voting”)
                                      1. Initialization: Voter signs in,
                                         gets Frog
                                      2. Vote-Capture: Voter records                         99
                                         choices        on Frog, using
                                         vote-capture device.
                                      3. Vote-Casting: Voter  uses vote-casting
                                         device to confirm selections made, and
                                         to cast vote.








                                      Fig. 1. A Modular Voting Architecture (“Frog Voting”)


                            However, electronic voting systems are likely to be complex, and complexity
                          is the enemy of security. Such voting systems are likely to be software-based.
                          Ensuring that software is bug-free and secure is notoriously difficult. There may
                          be little that an election official can do beyond accepting a vendor’s “trust us”
                          statement, an unacceptable situation, or trusting an equipment certification pro-
                          cess that does not include a rigorous security evaluation.
                            By separating vote capture from vote casting, and having the voter transport
                          her ballot on a Frog from one operation to the other, we achieve several security-
                          related objectives.
                            First, the voter’s ballot is recorded on a physical object (the Frog) that be-
                          comes part of the audit trail once the vote is cast.
                            Second, the certification of a vote-capture device may have different standards
                          than that of a vote-casting device. The vote-capture device might have lots of
                          graphics-oriented software that is difficult to certify, while the more critical vote-
                          casting device could be exceptionally simple and easily certifiable.
                            Third, different manufacturers could produce the vote-capture equipment and
                          the vote-casting equipment. (The recording formats and interfaces for Frogs
                          would be standardized and public.) The ability to replace any component with a
                          similar component from a different manufacturer (e.g., for a recount) can assist
                          in reducing the likelihood that corrupt vendor employees could bias an election.
                            We imagine that election officials purchase Frogs in bulk in blank, uninitialized
                          form. Thus, Frogs may be considerably cheaper than printed paper or optical
                          scan ballots. A blank Frog may be a blank piece of paper, a blank memory card
                          costing twenty cents or less, or some other medium with suitable properties. Some
                          form of electronic memory might eventually become the preferred representation
                          of a Frog.