If malicious actor swaps the IC, new one won't have the secret material that original had contained (and which IC will only disclosed upon receiving court-signed audit order, permanently burning a fuse at the same time). And if they try to tamper with the IC, they'll need to spend significant amount of time with it.
This isn't even remotely perfect, but can be used as one of the measures. Throw in some more redundant systems with different approaches, ensure their integrity at the end and you'll have some proof that the results are authentic enough to a certain extent (measured in amount of efforts needed to perform a successful attack).
That's security through obscurity. You want any citizen to be able to audit the security of the device, if you have to trust the government or some institution then what's the point?
After voting, each voter would receive a receipt -- a record of his choices that would be encrypted, or put into code, and could be deciphered only by a collaboration of all the election trustees. After polls closed, all receipts would be posted on the Internet. Each voter could use his serial number to find the image of his receipt, and make sure it matched the one he carried.
Not foolproof but still better than what we have now.
If malicious actor swaps the IC, new one won't have the secret material that original had contained (and which IC will only disclosed upon receiving court-signed audit order, permanently burning a fuse at the same time). And if they try to tamper with the IC, they'll need to spend significant amount of time with it.
This isn't even remotely perfect, but can be used as one of the measures. Throw in some more redundant systems with different approaches, ensure their integrity at the end and you'll have some proof that the results are authentic enough to a certain extent (measured in amount of efforts needed to perform a successful attack).