Papers
Topics
Authors
Recent
Search
2000 character limit reached

Audit-or-Cast: Enforcing Honest Elections with Privacy-Preserving Public Verification

Published 20 Apr 2026 in cs.CR | (2604.18163v2)

Abstract: Electronic voting systems must balance public verifiability with voter privacy and coercion resistance. Existing cryptographic protocols typically achieve end-to-end verifiability by revealing vote distributions, relying on trusted clients, or enabling transferable receipts - design choices that often compromise trust or privacy in real-world deployments. We present ACE, a voting protocol that reconciles public auditability with strong privacy guarantees. The protocol combines a publicly verifiable, tally-hiding aggregation mechanism with an Audit-or-Cast challenge that enforces cast-as-intended even under untrusted client assumptions. Tallier-side re-randomization eliminates persistent links between voters and public records, yielding information-theoretic receipt-freeness assuming at least one honest tallier. We formalize the security of ACE and show that it simultaneously achieves end-to-end verifiability, publicly tally-hiding results, and strong receipt-freeness without trusted clients.

Summary

  • The paper introduces ACE, a protocol that achieves end-to-end verifiability, tally-hiding, and receipt-freeness without relying on trusted clients.
  • It employs tallier-side re-randomization and an interactive audit-or-cast challenge to detect and deter any deviations in ballot processing.
  • It leverages a public bulletin board with SNARK proofs to enable universal verifiability while safeguarding voter privacy and preventing coercion.

Audit-or-Cast: Honest Elections with Privacy-Preserving Public Verification

Problem Statement and Motivation

The design of electronic voting protocols is dictated by competing goals: strong public auditability, rigorous privacy guarantees (including receipt-freeness and coercion resistance), and minimal trust assumptions about clients or election administrators. Existing deployed protocols frequently fail to achieve all desiderata simultaneously. For instance, universal verifiability is often achieved at the cost of publicly revealing vote distributions or intermediate tallies, which undermines ballot secrecy; conversely, schemes enforcing strong privacy may prevent complete independent verification, thereby eroding public trust. Furthermore, most protocols rely on trusted voting devices or expose voters to transferable receipts, rendering them vulnerable to coercion and vote buying. This work addresses these open problems in the domain of cryptographically secure national-scale voting.

The ACE Protocol: Overview and Mechanism

The paper presents ACE (Audit-Cast Election), a protocol that for the first time achieves end-to-end verifiability, public tally-hiding, and information-theoretic receipt-freeness without trusted clients. Key innovations include:

  • Tallier-side re-randomization: After the voter prepares their shares, each tallier applies independent blinding to the share's Pedersen vector commitment. The final published commitment is statistically independent from the voter's initial submission, ensuring that even if the voter reveals all their secrets, a coercer cannot verify how they voted.
  • Audit-or-Cast interactive challenge: Each voter may choose to audit the submission (demanding de-randomization proofs from talliers) or cast the ballot. The audit detects deviation (dishonest handling of shares) with probability amplifiable via repeated challenge rounds. This mechanism forces all participants—voters and talliers—to follow the protocol, ensuring the integrity of vote generation and submission even in the presence of compromised clients.
  • Public bulletin board (PBB): All commitments, zero-knowledge proofs, and protocol transcripts are committed to a publicly readable, append-only ledger (e.g., blockchain). This enables universal verifiability by any auditor and ensures transparency and resilience to censorship or modification.

Security Model, Threat Assumptions, and Guarantees

The adversarial model encompasses static, potentially malicious subsets of voters and talliers, but assumes mutually authenticated channels and at least one honest tallier. The protocol satisfies a suite of formal properties:

  • Public Privacy: No coalition of up to all but one tallier can link a vote-share to a candidate.
  • Tally-hiding: Only talliers learn the complete tally; the public sees only the declared result with zero-knowledge proofs.
  • Receipt-freeness: Even if a voter is coerced and must reveal all local randomness and secrets post-vote, they cannot prove their choice to a third party (information-theoretic guarantee given tallier-side blinding).
  • Double-vote prevention and immutability: The PBB ensures each voter can cast only once and that votes, once finalized, cannot be altered.
  • Cast-as-intended and tally-as-intended: Voters verify the correctness of share handling via audits; anyone can check the tally’s integrity via commitments and zero-knowledge proofs.

Protocol Execution Phases

The protocol execution comprises distinct phases:

  1. Vote Generation and Sharing: Each voter splits their choice (as a vector) into additive shares and computes Pedersen commitments, generating a NIZKP attesting to well-formedness.
  2. Blinded Submission: Commitments are sent to talliers, who individually apply random blinding and publish the blinded commitment to the PBB.
  3. Audit-or-Cast: The voter chooses to either audit (challenge talliers, who must prove correct re-randomization) or cast (finalize) the ballot. Malicious behavior can be unequivocally proven via digitally signed protocol transcripts.
  4. Opening and Verification: After casting, voters reveal shares to the talliers, which verify consistency with prior commitments, aggregate shares, and publish collective validity certificates.
  5. Tally Aggregation and Result Publication: Talliers sum valid shares and corresponding randomness, then reconstruct the aggregate commitment. The designated tallier computes the global result and attaches a SNARK proof attesting to the correctness of the tally relative to public commitments without revealing per-candidate vote counts.

Formal Security and Privacy Analysis

The protocol's security is established in the accountability framework. The probability that an execution accepted by an external judge (auditor) violates fundamental correctness or privacy properties is negligible in the security parameter, assuming the cryptographic primitives are secure. Notable technical aspects include:

  • Cut-and-choose security: With kk challenge rounds, the probability that a malicious tallier can subvert a cast vote undetected is 2−k2^{-k}. The voter can independently tune kk to trade off efficiency for security.
  • Perfect hiding and information-theoretic privacy: Since re-randomization is performed by talliers and the blinding factor is never revealed to the voter, the final commitment on the PBB is independent of all voter secrets. Thus, receipt-freeness is achieved in an information-theoretic sense, obviating the need for shuffle proofs typical in mix-net based approaches.
  • Public auditability and verifiability: The PBB and SNARK proofs enable any third party to verify that the published result is a correct evaluation of the set of valid votes, without access to individual ballots.

Comparison with Prior Art

ACE achieves a property set previously unattainable in a single protocol:

  • Helios, Demos: Achieve E2E verifiability but either leak vote distributions or are vulnerable to transferable receipts due to persistent links in the bulletin board, or rely on trusted clients.
  • Ordinos: Hides tallies but permits vote receipt creation through voter randomness.
  • DeVoS: Provides strong auditability and immutability (blockchain-based) but is fundamentally incompatible with receipt-freeness due to public signed votes.
  • Kryvos: Achieves publicly tally-hiding, but not receipt-freeness or strong client independence.

None of these protocols achieves the ‘trinity’ of (1) public auditability, (2) tally-hiding, and (3) receipt-freeness while obviating trusted clients. ACE resolves this by blending Benaloh-style challenge audits with tallier-side perfect hiding, under standard cryptographic and trust assumptions.

Practical and Theoretical Implications, Directions for AI

The practical implication is the feasibility of deploying large-scale elections that are both universally verifiable and provably immune to coercion, without requiring voters to trust their devices or accept privacy trade-offs. The protocol’s reliance on succinct SNARKs for proof of correctness makes it viable for broad public verification, and the modular design allows extension to more sophisticated voting schemes.

From an AI perspective, future work could address the optimization of audit strategies for voters (e.g., via game-theoretic models or reinforcement learning for effective challenge distributions), batched zero-knowledge proofs to further minimize communication, and integration with ML-based threat monitoring in blockchain or PBB infrastructures.

Conclusion

ACE constitutes a stringent cryptographic protocol for elections that enforces cast-as-intended, verifiability, tally-hiding, and strong receipt-freeness without trusted clients. The combination of commit-and-blind with Audit-or-Cast challenge removes previously essential trust and privacy trade-offs. This result paves the way for privacy-preserving, auditable voting systems scalable to national contexts, and sets a technical benchmark for future secure multiparty computation protocols and verifiable computation paradigms in domains demanding maximal transparency and privacy simultaneously.

Reference: "Audit-or-Cast: Enforcing Honest Elections with Privacy-Preserving Public Verification" (2604.18163).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.