Electronic Voting

In this work we consider Belenios-CaI, a protocol offering a cast-as-intended mechanism and building upon Belenios, a voting system used in about 7000 elections to date. We modify the design of Belenios-Cai from the user perspective without changing its core cryptographic mechanism. The goal is to increase its usability by letting the voter simply check whether two symbols are equal or different.

We conducted a user-study among 165 participants in a research center to evaluate the usability of our implementation of Belenios-CaI. Since the cast-as-intended mechanism assumes that voters make some random choices, we also evaluate whether the choices made by voters are sufficiently “random” to provide verifiability and whether it could affect their privacy. The study shows that, for our population, Belenios-CaI is considered as usable with the random choices of the voters seeming sufficient for verifiability and privacy.

In 2001, Hirt proposed a receipt-free voting scheme, which prevents malicious voters from proving to anybody how they voted, under the assumption of the availability of a helping server that is trusted for receipt-freeness, and only for that property.  This appealing design led to a number of subsequent works that made this approach non-interactive and more efficient. Still, in all of these works, receipt-freeness depends on the honesty of one single server.

Eventually, we propose a generic construction of a single-pass verifiable voting system achieving threshold receipt freenes with a mixnet-based tallying process. Our ballot submission process relies on the recently designed traceable receipt-free encryption primitive.

AWAIRE is one of two extant methods for conducting risk-limiting audits of instant-runoff voting (IRV) elections. In principle AWAIRE can audit IRV contests with any number of candidates, but the original implementation incurred memory and computation costs that grew superexponentially with the number of candidates. This paper improves the algorithmic implementation of AWAIRE in three ways that make it practical to audit IRV contests with 55 candidates, compared to the previous 6 candidates. First, rather than trying from the start to rule out all candidate elimination orders that produce a different winner, the algorithm starts by considering only the final round, testing statistically whether each candidate could have won that round. For those candidates who cannot be ruled out at that stage, it expands to consider earlier and earlier rounds until either it provides strong evidence that the reported winner really won or a full hand count is conducted, revealing who really won. Second, it tests a richer collection of conditions, some of which can rule out many elimination orders at once. Third, it exploits relationships among those conditions, allowing it to abandon testing those that are unlikely to help. We provide real-world examples with up to 36 candidates and synthetic examples with up to 55 candidates, showing how audit sample size depends on the margins and on the tuning parameters. An open-source Python implementation is publicly available.

Research on voters’ trust in i-voting has been exclusively related to building trust in the process of i-voting adoption, with no work addressing the question of trust repair. This article introduces a framework for trust repair in i-voting by integrating insights from trust repair in other research areas, as well as concepts developed for and used in the e-voting literature. The article traces the process of trust repair from the different beliefs influencing voters’ trust in both the human and technological dimensions of an i-voting system, through the influence of the internal and external stakeholders, to trust violations and the i-voting organisers’ strategies for trust repair and the ‘arsenal’ of measures at their disposal. The article highlights the importance of detecting the emergence of events that may violate trust among voters, understanding the severity and dimensions of trust violation, and strategically navigating trust repair. It also outlines open questions and identifies avenues for future research.

Coercion resistance is a strong security property of electronic voting that prevents adversaries from forcing voters to vote in a specific way by using threats or rewards. There exist clever techniques aimed at preventing voter coercion based on fake credentials, but they are either inefficient or cannot support features such as revoting without leaking more information than necessary to coercers. One of the reasons is that invalid ballots cast due to revoting or coercion need to be removed before the tallying. In this paper, we propose a coercion-resistant Internet voting scheme that does not require the removal of invalid ballots, hence avoids the leakage of information, but still supports revoting. The scheme is very efficient and achieves linear tallying.

Despite being deployed in Canadian municipal elections since 2003, online ballots were not used in binding elections at higher levels of government until the Northwest Territories’ adoption of online voting for absentee voters in its territorial elections in 2019 and 2023. Municipal and Indigenous use of online voting in Canada are well studied, but implementation at higher orders of government have not yet been examined. Drawing on an original data set of online voters in the 2023 Northwest Territories territorial election, we examine who votes online in higher order elections, attitudes towards the voting mode, and its impact on engagement. Throughout our analysis, we simultaneously compare these data to original data from online voter exit surveys conducted during the 2022 Ontario municipal elections. We find that uncommitted voters outside of Yellowknife would not have voted without the online option. Similarly, for municipal voters, we find that age and past voting record correlate with whether the online option influenced electors to cast a ballot.

Electronic voting (e-voting) systems have become more prevalent in recent years, but security concerns have also increased, especially regarding the privacy and verifiability of votes. As an essential ingredient for constructing secure e-voting systems, designers often employ zero-knowledge proofs (ZKPs), allowing voters to prove their votes are valid without revealing them. Invalid votes can then be discarded to protect verifiability without compromising the privacy of valid votes. General purpose zero-knowledge proofs (GPZKPs) such as ZK-SNARKs can be used to prove arbitrary statements, including ballot validity. While a specialized ZKP that is constructed only for a specific election type/voting method, ballot format, and encryption/commitment scheme can be more efficient than a GPZKP, the flexibility offered by GPZKPs would allow for quickly constructing e-voting systems for new voting methods and new ballot formats. So far, however, the viability of GPZKPs for showing ballot validity for various ballot formats, in particular, whether and in how far they are practical for voters to compute, has only recently been investigated for ballots that are computed as Pedersen vector commitments in an ACM CCS 2022 paper by Huber et al. Here, we continue this line of research by performing a feasibility study of GPZKPs for the more common case of ballots encrypted via Exponential ElGamal encryption. Specifically, building on the work by Huber et al., we describe how the Groth16 ZK-SNARK can be instantiated to show ballot validity for arbitrary election types and ballot formats encrypted via Exponential ElGamal. As our main contribution, we implement, benchmark, and compare several such instances for a wide range of voting methods and ballot formats. Our benchmarks not only establish a basis for protocol designers to make an educated choice for or against such a GPZKP, but also show that GPZKPs are actually viable for showing ballot validity in voting systems using Exponential ElGamal.

We present a new verifiable voting scheme based on the Hyperion scheme but providing everlasting privacy and receipt-freeness. As with Selene and Hyperion, it provides a direct form of E2E verifiability: voters verify the presence of their votes in plaintext in the tally. However, in contrast to Selene or Hyperion, the privacy of this protocol is everlasting. In addition, our protocol offers the novel feature of everlasting receipt-freeness and coercion mitigation.

Coercion and vote-buying are challenging and multi-faceted threats that prevent people from expressing their will freely. Even though there are known techniques to resist or partially mitigate coercion and vote-buying, we explicitly demonstrate that they generally underestimate the power of malicious actors by not accounting for current technological tools that could support coercion and vote-selling. In this paper, we give several examples of how a coercer can force voters to comply with his demands or how voters can prove how they voted. To do so, we use tools like blockchains, delay encryption, privacy-preserving smart contracts, or trusted hardware. Since some of the successful coercion attacks occur on voting schemes that were supposed/claimed/proven to be coercion-resistant or receipt-free, the main conclusion of this work is that the coercion models should be re-evaluated, and new definitions of coercion and receipt-freeness are necessary. We propose such new definitions as part of this paper and investigate their implications.