Practical Governmental Voting with Unconditional Integrity and Privacy

  • Nan Yang
  • Jeremy ClarkEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10323)


Throughout the years, many cryptographically verifiable voting systems have been proposed with a whole spectrum of features and security assumptions. Where the voter casts an in-person (and possibly paper) ballot and leaves, as is common in a governmental election, the majority of the proposals fall in the category of providing unconditional integrity and computational privacy. A minority of papers have looked at the inverse scenario: everlasting privacy with computational integrity. However as far as we know, no paper has succeeded in providing both unconditional integrity and privacy in this setting—it has only been explored in boardroom voting schemes where voters participate in the tallying process. Our paper aims for a two-level contribution: first, we present a concrete system with these security properties (one that works as a backend for common ballot styles like Scantegrity II or Prêt à Voter); and second, we provide some insight into how different combinations of security assumptions are interdependent.



We thank Claude Crépeau for helpful insights. We thank the anonymous reviewers who pointed out relevant work, suggested interesting ideas, and showed us where our paper needed more clarity. The second author acknowledges funding for this work from NSERC and FQRNT.


  1. 1.
    Adida, B.: Helios: web-based open-audit voting. In: USENIX Security (2008)Google Scholar
  2. 2.
    Bell, S., Benaloh, J., Byrne, M.D., Debeauvoir, D., Eakin, B., Kortum, P., McBurnett, N., Pereira, O., Stark, P.B., Wallach, D.S., Fisher, G., Montoya, J., Parker, M., Winn, M.: Star-vote: a secure, transparent, auditable, and reliable voting system. JETS 1, 8 (2013)Google Scholar
  3. 3.
    Benaloh, J.: Simple verifiable elections. In: EVT (2006)Google Scholar
  4. 4.
    Cohen, J.D., Fisher, M.J.: A robust and verifiable cryptographically secure election scheme. In: SFCS (1985)Google Scholar
  5. 5.
    Broadbent, A., Tapp, A.: Information-theoretically secure voting without an honest majority. In: WOTE (2008)Google Scholar
  6. 6.
    Burton, C., Culnane, C., Schneider, S.: Verifiable electronic voting in practice: the use of vvote in the victorian state election. In: IEEE Security and Privacy (2016)Google Scholar
  7. 7.
    Carback, R.T., Chaum, D., Clark, J., Conway, J., Essex, A., Hernson, P.S., Mayberry, T., Popoveniuc, S., Rivest, R.L., Shen, E., Sherman, A.T., Vora, P.L.: Scantegrity II election at Takoma Park. In: USENIX Security Symposium (2010)Google Scholar
  8. 8.
    Chaum, D.: Elections with unconditionally-secret ballots and disruption equivalent to breaking RSA. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 177–182. Springer, Heidelberg (1988). Google Scholar
  9. 9.
    Chaum, D.: Secret-ballot receipts: true voter-verifiable elections. IEEE Secur. Priv. 2(1), 38–47 (2004)CrossRefGoogle Scholar
  10. 10.
    Chaum, D., Carback, R., Clark, J., Essex, A., Popoveniuc, S., Rivest, R.L., Ryan, P.Y.A., Shen, E., Sherman, A.T.: Scantegrity II: end-to-end verifiability for optical scan election systems using invisible ink confirmation codes. In: EVT (2008)Google Scholar
  11. 11.
    Chaum, D., Essex, A., Carback, R., Clark, J., Popoveniuc, S., Sherman, A.T., Vora, P.: scantegrity: end-to-end voter verifiable optical-scan voting. IEEE Secur. Priv. 6(3), 40–46 (2008)CrossRefGoogle Scholar
  12. 12.
    Chaum, D., Ryan, P.Y.A., Schneider, S.: A practical voter-verifiable election scheme. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 118–139. Springer, Heidelberg (2005). CrossRefGoogle Scholar
  13. 13.
    Chevallier-Mames, B., Fouque, P.-A., Pointcheval, D., Stern, J., Traoré, J.: On some incompatible properties of voting schemes. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 191–199. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  14. 14.
    Clark, J., Hengartner, U.: On the use of financial data as a random beacon. In: EVT/WOTE (2010)Google Scholar
  15. 15.
    Cramer, R., Franklin, M., Schoenmakers, B., Yung, M.: Multi-authority secret-ballot elections with linear work. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 72–83. Springer, Heidelberg (1996). Google Scholar
  16. 16.
    Cramer, R., Gennaro, R., Schoenmakers, B.: A secure and optimally efficient multi-authority election scheme. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 103–118. Springer, Heidelberg (1997). Google Scholar
  17. 17.
    Demirel, D., van de Graaf, J., dos Santos Araujo, R.S.: Improving Helios with everlasting privacy towards the public. In: EVT/WOTE (2012)Google Scholar
  18. 18.
    Essex, A., Clark, J., Hengartner, U., Adams, C.: Eperio: mitigating technical complexity in cryptographic election verification. In: EVT/WOTE (2010)Google Scholar
  19. 19.
    Gallegos-Garcia, G., Iovino, V., Rial, A., Ronne, P.B., Ryan, P.Y.A.: (Universal) unconditional verifiability in e-voting without trusted parties. Technical report, IACR Eprint Report 2016/975 (2016)Google Scholar
  20. 20.
    Garay, J., Givens, C., Ostrovsky, R., Raykov, P.: Broadcast (and round) efficient verifiable secret sharing. In: ICITS (2014)Google Scholar
  21. 21.
    Goldwasser, S., Kalaj, Y.: On the (in)security of the Fiat-Shamir paradigm. In: FOCS (2003)Google Scholar
  22. 22.
    Hao, F., Zieliński, P.: A 2-round anonymous veto protocol. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2006. LNCS, vol. 5087, pp. 202–211. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  23. 23.
    Henry, K., Stinson, D.R., Sui, J.: The effectiveness of receipt-based attacks on threeballot. IEEE TIFS 4(4), 699–707 (2009)Google Scholar
  24. 24.
    Hosp, B., Vora, P.L.: An information-theoretic model of voting systems. Math. Comput. Model. 48, 1628–1645 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Kiayias, A., Yung, M.: Self-tallying elections and perfect ballot secrecy. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 141–158. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  26. 26.
    Kiayias, A., Zacharias, T., Zhang, B.: End-to-end verifiable elections in the standard model. Technical report 2015/346, IACR Eprint Report (2015)Google Scholar
  27. 27.
    Locher, P., Haenni, R.: Verifiable internet elections with everlasting privacy and minimal trust. In: Haenni, R., Koenig, R.E., Wikström, D. (eds.) VOTELID 2015. LNCS, vol. 9269, pp. 74–91. Springer, Cham (2015). CrossRefGoogle Scholar
  28. 28.
    Locher, P., Haenni, R., Koenig, R.E.: Coercion-resistant internet voting with everlasting privacy. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 161–175. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  29. 29.
    Malkhi, D., Margo, O., Pavlov, E.: E-voting without ‘Cryptography’. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 1–15. Springer, Heidelberg (2003). CrossRefGoogle Scholar
  30. 30.
    Mannan, M., Kim, B.H., Ganjali, A., Lie, D.: Unicorn: two-factor attestation for data security. In: CCS (2011)Google Scholar
  31. 31.
    Moran, T., Naor, M.: Receipt-free universally-verifiable voting with everlasting privacy. In: CRYPTO (2006)Google Scholar
  32. 32.
    Moran, T., Naor, M.: Split-ballot voting: everlasting privacy with distributed trust. In: CCS (2007)Google Scholar
  33. 33.
    Neff, C.A.: A verifiable secret shuffle and its application to e-voting. In: CCS (2001)Google Scholar
  34. 34.
    Popoveniuc, S., Hosp, B.: An introduction to punchscan. In: WOTE (2006)Google Scholar
  35. 35.
    Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: Proceedings of the Twenty-first Annual ACM Symposium on Theory of Computing, STOC 1989, New York, NY, USA, pp. 73–85. ACM (1989)Google Scholar
  36. 36.
    Riva, B., Ta-Shma, A.: Bare-handed electronic voting with pre-processing. In: Proceedings of the USENIX Workshop on Accurate Electronic Voting Technology, EVT 2007, Berkeley, CA, USA, pp. 15–15. USENIX Association (2007)Google Scholar
  37. 37.
    Rivest, R.L., Smith, W.D.: Three voting protocols: threeballot, VAV, and twin. In: EVT (2007)Google Scholar
  38. 38.
    Schoenmakers, B.: A simple publicly verifiable secret sharing scheme and its application to electronic voting. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 148–164. Springer, Heidelberg (1999). Google Scholar
  39. 39.
    Schoenmakers, B.: Fully auditable electronic secret-ballot elections. Xootic Mag. 8, 5 (2000)Google Scholar
  40. 40.
    Stadler, M.: Publicly verifiable secret sharing. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 190–199. Springer, Heidelberg (1996). Google Scholar
  41. 41.
    Zagórski, F., Carback, R.T., Chaum, D., Clark, J., Essex, A., Vora, P.L.: Remotegrity: design and use of an end-to-end verifiable remote voting system. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 441–457. Springer, Heidelberg (2013). CrossRefGoogle Scholar

Copyright information

© International Financial Cryptography Association 2017

Authors and Affiliations

  1. 1.Concordia UniversityMontrealCanada

Personalised recommendations