We present a new approach for cryptographic end-to-end verifiable
optical-scan voting.  Ours is the first that does not rely on a single
point of trust to protect ballot secrecy while simultaneously offering
a conventional single layer ballot form and unencrypted paper trail.
We present two systems following this approach.  The first system uses
ballots with randomized confirmation codes and a physical in-person
dispute resolution procedure.  The second system improves upon the
first by offering an informational dispute resolution procedure and a
public paper audit trail through the use of self-blanking invisible
ink confirmation codes.  We then present a security analysis of the
improved system.