Prêt à Voter Providing Everlasting Privacy

  • Denise Demirel
  • Maria Henning
  • Jeroen van de Graaf
  • Peter Y. A. Ryan
  • Johannes Buchmann
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7985)


This paper shows how Prêt à Voter can be adjusted in order to provide everlasting privacy. This is achieved by adapting the ballot generation and anonymisation process, such that only unconditional hiding commitments and zero knowledge proofs are published for verification, thus ensuring privacy towards the public. This paper presents a security analysis carried out in a collaboration between computer scientists and legal researchers. On the technical side it is shown that the modified Prêt à Voter provides verifiability, robustness, and everlasting privacy towards the public. Everlasting privacy towards the authorities can be achieved by implementing several organisational measures. A legal evaluation of these measures demonstrates that the level of privacy achieved would be acceptable under German law.


Prêt à Voter everlasting privacy legal issues design and evaluation of e-Voting systems cryptographic voting schemes 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Pci hardware security module (hsm),
  2. 2.
    Araújo, R., Custódio, R.F., van de Graaf, J.: A verifiable voting protocol based on Farnel. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 274–288. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Araujo, R., Ryan, P.Y.A.: Improving the Farnel voting scheme. In: Electronic Voting, pp. 169–184 (2008)Google Scholar
  4. 4.
    Bohli, J.-M., Müller-Quade, J., Röhrich, S.: Bingo Voting: Secure and coercion-free voting using a trusted random number generator. In: Alkassar, A., Volkamer, M. (eds.) VOTE-ID 2007. LNCS, vol. 4896, pp. 111–124. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Buchmann, J., Demirel, D., van de Graaf, J.: Towards a publicly-verifiable mix-net providing everlasting privacy. In: Financial Cryptography (to appear, 2013)Google Scholar
  6. 6.
    Burton, C., Culnane, C., Heather, J., Peacock, T., Ryan, P.Y.A., Schneider, S., Srinivasan, S., Teague, V., Wen, R., Xia, Z.: A supervised verifiable voting protocol for the victorian electoral commission. In: Electronic Voting, pp. 81–94 (2012)Google Scholar
  7. 7.
    Burton, C., Culnane, C., Heather, J., Peacock, T., Ryan, P.Y.A., Schneider, S., Teague, V., Wen, R., Xia, Z.J., Srinivasan, S.: Using Prêt à Voter in Victoria State Elections. In: Proceedings of the Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (2012)Google Scholar
  8. 8.
    Cabinet of Germany: Bundestags-Drucksache 16/5194 (2007),
  9. 9.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  10. 10.
    Chaum, D., Essex, A., Carback, R., Clark, J., Popoveniuc, S., Sherman, A.T., Vora, P.L.: Scantegrity: End-to-end voter-verifiable optical-scan voting. IEEE Security & Privacy 6(3), 40–46 (2008)CrossRefGoogle Scholar
  11. 11.
    Chaum, D., Ryan, P.Y.A., Schneider, S.: A practical voter-verifiable election scheme. In: De Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 118–139. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Cuvelier, E., Pereira, O., Peters, T.: Election verifiability or ballot privacy: Do we need to choose? Cryptology ePrint Archive, Report 2013/216 (2013)Google Scholar
  13. 13.
    Demirel, D., Henning, M.: Legal analysis of privacy weaknesses in poll-site evoting systems. Jusletter IT Editions Weblaw (September 2012) ISSN 1664-848XGoogle Scholar
  14. 14.
    Demirel, D., Henning, M., Ryan, P.Y.A., Schneider, S., Volkamer, M.: Feasibility analysis of Prêt à Voter for German federal elections. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 158–173. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
    Demirel, D., van de Graaf, J., Araújo, R.: Improving Helios with everlasting privacy towards the public. In: Proceedings of EVT/WOTE 2012 (2012)Google Scholar
  16. 16.
    Federal Constitutional Court of Germany: Voting computer judgement. (BVerfGE) - Judicial decisions of the Federal Constitutional Court of Germany 123, 39 (2009),
  17. 17.
    Ferguson, N., Schneier, B.: Practical cryptography. Wiley (2003),
  18. 18.
    Fisher, K., Carback, R., Sherman, A.T.: Punchscan: Introduction and system definition of a high-integrity election system. In: Preproceedings of WOTE 2006 (2006)Google Scholar
  19. 19.
    Graaf, J.: Voting with unconditional privacy by merging Prêt à Voter and PunchScan. IEEE Trans. Inf. Forensics Security 4(4), 674–684 (2009)CrossRefGoogle Scholar
  20. 20.
    Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  21. 21.
    Heather, J.: Implementing STV securely in Prêt à Voter. In: CSF, pp. 157–169 (2007)Google Scholar
  22. 22.
    Heather, J., Lundin, D.: The append-only web bulletin board. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 242–256. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  23. 23.
    Henning, M., Demirel, D., Volkamer, M.: Öffentlichkeit vs. verifizierbarkeit - inwieweit erfüllt mathematische verifizierbarkeit den grundsatz der öffentlichkeit der wahl. In: IRIS 2012, pp. 213–220 (2012)Google Scholar
  24. 24.
  25. 25.
    Lipmaa, H., Zhang, B.: A more efficient computationally sound non-interactive zero-knowledge shuffle argument. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 477–502. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  26. 26.
    Moran, T., Naor, M.: Receipt-free universally-verifiable voting with everlasting privacy. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 373–392. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  27. 27.
    Moran, T., Naor, M.: Split-ballot voting: everlasting privacy with distributed trust. In: ACM Conference on Computer and Communications Security, pp. 246–255 (2007)Google Scholar
  28. 28.
    Moran, T., Naor, M.: Split-ballot voting: Everlasting privacy with distributed trust. ACM Trans. Inf. Syst. Secur. 13(2) (2010)Google Scholar
  29. 29.
    Park, C., Itoh, K., Kurosawa, K.: Efficient anonymous channel and all/Nothing election scheme. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 248–259. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  30. 30.
    Rivest, R.L.: The ThreeBallot voting system (2006)Google Scholar
  31. 31.
    Ryan, P.Y.A., Bismark, D., Heather, J., Schneider, S., Xia, Z.: Prêt à Voter: a voter-verifiable voting system. IEEE Trans. Inf. Forensics Security 4(4), 662–673 (2009)CrossRefGoogle Scholar
  32. 32.
    Ryan, P.Y.A., Bryans, J.: A simplified version of the chaum voting scheme. Technical Report CS-TR 843, University of Newcastle upon Tyne (May 2004)Google Scholar
  33. 33.
    Ryan, P.Y.A., Peacock, T.: Prêt à Voter: a systems perspective. Tech. rep. (2005)Google Scholar
  34. 34.
    Ryan, P.Y.A., Peacock, T.: A threat analysis of Prêt à Voter. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 200–215. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  35. 35.
    Ryan, P.Y.A., Schneider, S.A.: Prêt à Voter with re-encryption mixes. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 313–326. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  36. 36.
    Sako, K., Kilian, J.: Receipt-free mix-type voting scheme - A practical solution to the implementation of a voting booth. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 393–403. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  37. 37.
    Schneider, S., Srinivasan, S., Culnane, C., Heather, J., Xia, Z.: Prêt á Voter with write-ins. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 174–189. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  38. 38.
    Schreiber, W.: Bundeswahlgesetz Kommentar. Carl Heymanns Verlag (2009)Google Scholar
  39. 39.
    Sherman, A.T., Fink, R.A., Carback, R., Chaum, D.: Scantegrity III: automatic trustworthy receipts, highlighting over/under votes, and full voter verifiability. In: Proceedings of EVT/WOTE 2011, pp. 7–23 (2011)Google Scholar
  40. 40.
    Strauss, C.: A critical review of the triple ballot voting system. Part2: Cracking the triple ballot encryption. Draft Version 1.5, Verified Voting New Mexico (2006),
  41. 41.
    Xia, Z., Schneider, S.A., Heather, J., Ryan, P.Y.A., Lundin, D., Peel, R., Howard, P.: Prêt à Voter: All-in-one. In: Proceedings of WOTE 2007, pp. 47–56 (2007)Google Scholar
  42. 42.
    Xia, Z., Culnane, C., Heather, J., Jonker, H., Ryan, P.Y.A., Schneider, S., Srinivasan, S.: Versatile Prêt à Voter: Handling multiple election methods with a unified interface. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 98–114. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  43. 43.
    Xia, Z., Schneider, S.A., Heather, J., Traoré, J.: Analysis, improvement, and simplification of Prêt à Voter with paillier encryption. In: EVT 2008 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Denise Demirel
    • 1
  • Maria Henning
    • 2
  • Jeroen van de Graaf
    • 3
  • Peter Y. A. Ryan
    • 4
  • Johannes Buchmann
    • 1
  1. 1.CASEDTechnische Universität DarmstadtGermany
  2. 2.Project Group Constitutionally Compatible Technology Design (provet)Universität KasselGermany
  3. 3.Departamento de Ciência da ComputaçãoUniversidade Federal de MinasGeraisBrazil
  4. 4.Interdisciplinary Centre for Security and TrustUniversity of LuxembourgLuxembourg

Personalised recommendations