End-to-End Verifiable E-Voting

Updated 26 December 2025

End-to-end verifiable e-voting is a secure electronic voting paradigm that uses cryptographic techniques to ensure votes are cast as intended, recorded as cast, and tallied as recorded.
It employs methods such as homomorphic encryption, mix-nets, and non-interactive zero-knowledge proofs to provide public verifiability and maintain voter privacy.
Practical implementations like Helios and Prêt à Voter demonstrate the system's efficiency and resilience against manipulation in low-trust environments.

End-to-end verifiable e-voting (E2E-V) refers to election protocols that provide rigorous, cryptographically backed evidence to all stakeholders—voters, auditors, and the public—that (1) each ballot reflects the voter’s intention, (2) all ballots are faithfully collected and included, and (3) the tally corresponds precisely to the set of recorded votes, all while maintaining strong privacy guarantees and requiring minimal trust in the election infrastructure. Unlike conventional systems, in which correctness and privacy depend on trusted hardware or administrators, E2E-V systems shift trust into cryptographic procedures, public audit data, and distributed verification, with proofs posted on open boards and the detection probability for manipulation made exponential with the number of independent checks. This paradigm is realized via a composition of cryptographic primitives—homomorphic encryption, mix-nets, non-interactive zero-knowledge proofs (NIZKs), robust public ledgers (“bulletin boards”), and optionally, voter-verified paper records (VVPRs)—spanning both traditional and quantum-resistant constructions (Benaloh et al., 2015, Ali et al., 2016, Culnane et al., 2014, Chondros et al., 2015, Homoliak et al., 21 May 2025, Crimmins et al., 2021, Blanchard et al., 2020, Srivastava et al., 19 Dec 2025).

1. Formal Definitions and Security Properties

The central requirement for E2E verifiability is that any attempt to alter, drop, substitute, or miscount votes—by malicious authorities, compromised devices, or network adversaries—will either be impossible or detected with overwhelming probability, without reliance on any single trusted device or administrator (Benaloh et al., 2015, Ali et al., 2016). The canonical properties are:

Cast-as-intended: Each voter obtains evidence that her encrypted ballot correctly encodes her selection ( $m$ ). Statistical or cryptographic challenge mechanisms (e.g., Benaloh challenge, audit spoils, or device checks) ensure the probability a compromised device forges a valid ballot without detection drops exponentially with the number of independent challenges (Benaloh et al., 2015, Müller et al., 2023, Haq et al., 2022).
Recorded-as-cast: Each voter can verify that their ciphertext, or other verifiable representation, is correctly posted to the append-only public bulletin board under a unique label (serial or receipt code) and is included (unaltered) in the set to be tallied (Chondros et al., 2015, Chondros et al., 2016, Culnane et al., 2014).
Tallied-as-recorded: Any party can verify—using public proofs, shuffle audits, or homomorphic proofs—that all posted ballots are tallied exactly as recorded, and no extra or missing votes are present. ZKPs over the tallying process (both mixing and decryption) guarantee that any discrepancies or manipulations are publicly detectable (Benaloh et al., 2015, Haq et al., 2022, Culnane et al., 2014, Chondros et al., 2015).

Additional security targets include:

Voter privacy/anonymity: IND-CPA security of encryptions, unlinkability through mix-nets, and post-quantum anonymity via hard problems (e.g., MQ) (Srivastava et al., 19 Dec 2025).
Receipt-freeness and coercion resistance: Voters cannot produce evidence of how they voted, thwarting vote-selling and coercion (Ali et al., 2016, Müller et al., 2023).
Eligibility/robustness: Only eligible voters’ ballots are included and each votes only once; robust systems tolerate some number of corrupt authorities before liveness or privacy fail (Chondros et al., 2015, Chondros et al., 2016).

2. System Architectures and Protocol Taxonomy

E2E-V systems exhibit a modular architecture, typically including: (1) voter client or interface (in-person, remote, or by mail), (2) a public bulletin board (append-only ledger), (3) a set of distributed tally authorities (mixnets or homomorphic decryption trustees), and (4) an open auditing interface (Benaloh et al., 2015, Haq et al., 2022, Chondros et al., 2015, Chondros et al., 2016). There is wide variation in the voting and tallying protocol families:

Protocol Type	Ballot Privacy	Tally Method	Audit Channel
Homomorphic Encryption	IND-CPA	Additive aggregation	Threshold decryption, ZKPs
Mix-net based	Unlinkability	Sequential shuffling	NIZK shuffle, receipt checks
Code/Receipt Voting	Code sheet “split”	Either above	Code look-up, audit spoils
Dual (E2E+VVPR)	Both cryptographic	Both above + paper rec.	Traceable mix, paper match
Blockchain-based	IND-CPA	Contractized aggregation	Batch anchoring, NIZKs
Post-Quantum	MQ/other hard prob.	MPQC/BB publish-decrypt	Commitments, post-quantum

Homomorphic encryption systems (Helios, STAR-Vote, VoteMate) rely on ElGamal or similar schemes; each ballot is encrypted with fresh randomness, and the “homomorphic” property allows tallies to be summed in the exponent and decrypted via threshold-sharing (Homoliak et al., 21 May 2025, Benaloh et al., 2015, Ali et al., 2016).

Mix-net systems (Prêt à Voter, vVote, Scantegrity II, OpenVoting) employ a cascade of mix servers, each applying a secret permutation (and re-encrypting) ballots, with NIZK proofs ensuring the mixing is honest and unlinkable (Culnane et al., 2014, Blanchard et al., 2020, Agrawal et al., 2019, Burton et al., 2015). Threshold decryption is performed post-mix.

Code-based and receipt systems (Pretty Good Democracy, VV@Home, RemoteVote) provide each voter with codes or short receipts, enabling look-up on a public board but offering no proof of vote intent to a coercer (Crimmins et al., 2021, Ali et al., 2016).

Hybrid/dual systems such as OpenVoting combine cryptographic ballots with VVPRs, enabling localized recovery—when some polling stations fail to verify, only those stations re-vote while the cryptographically verifiable tally for honest booths stands (Agrawal et al., 2019).

Blockchain-based systems (VoteMate, hybrid blockchain) store encrypted ballots and hash commitments on permissioned and/or public ledgers. Smart contracts orchestrate aggregation and threshold decryption with on-chain proofs, minimizing trust and ensuring auditability (Homoliak et al., 21 May 2025, Tahboub et al., 26 Sep 2025).

Post-quantum secure designs leverage multivariate cryptography (MQ), lattice-based, or hash-based primitives to retain E2E verifiability under quantum adversaries, typically with direct publish-what-you-decrypt board models and minimal ZK/commitment machinery (Srivastava et al., 19 Dec 2025).

3. Core Cryptographic Mechanisms

E2E-V protocols are underpinned by a core set of advanced primitives:

Homomorphic Encryption: Encrypted votes can be combined algebraically (often additively) without decryption. In ElGamal: $E(m;r) = (g^r, h^r g^m)$ and $\prod E(m_i;r_i) = E(\sum m_i; \sum r_i)$ . Decryption is performed by threshold trustees, and a Chaum–Pedersen proof demonstrates correctness (Benaloh et al., 2015, Chondros et al., 2015, Chondros et al., 2016).
Mix-nets: Ballot privacy is enforced by applying secret permutations (and re-randomizations) to ciphertext lists. ZKPs show that inputs and outputs are related by a permutation and re-encryptions, using standard proofs (Bayer–Groth, Neff) (Culnane et al., 2014, Ali et al., 2016).
Commitment schemes: Perfectly hiding and computationally binding commitments (e.g., Pedersen commitments) ensure voters or authorities are bound to selections or randomness, vital for auditability and eligibility (Chondros et al., 2015, Agrawal et al., 2019).
Non-interactive Zero-Knowledge Proofs (NIZKs): ZKPs provide public, verifiable guarantees that ciphertexts are correctly formed, mix-shuffles are fair, and decryptions are honest, without revealing underlying votes or secrets. Fiat–Shamir heuristic is typically used to obtain non-interactivity (Benaloh et al., 2015, Culnane et al., 2014, Homoliak et al., 21 May 2025).
Threshold cryptography and secret sharing: Private keys for decryption or commitments are distributed among $n$ trustees; any $t > n/2$ can cooperate to produce valid operations, mitigating single points of compromise (Chondros et al., 2016, Chondros et al., 2015).
Auditable public ledgers (Bulletin Boards): Append-only, replicated boards are the reference source for ballots, receipts, and proofs; all audit procedures and tally-checking reference this ledger (Benaloh et al., 2015, Tahboub et al., 26 Sep 2025, Chondros et al., 2015).
Post-Quantum Primitives: Multivariate quadratic encryption (MQE) and signature (MQS) constructions avoid number-theoretic weaknesses, binding security to NP-hardness (Srivastava et al., 19 Dec 2025).

4. Typical Workflow and Verification Procedures

A typical E2E-V election involves:

Setup: Key generation for trustees, setup of voting clients, and in some cases, production of individualized or randomized ballots with pre-committed parameters (Chondros et al., 2015, Culnane et al., 2014, Srivastava et al., 19 Dec 2025).
Ballot Casting: Voters make selections, possibly via in-person device, browser, or paper/mailed interface. The device prepares an encrypted vote (and typically a ZKP of correct formation). Cast-as-intended challenge may be optional, performed in the client or on a second device (Müller et al., 2023, Ali et al., 2016, Haq et al., 2022).
Receipt Issuance and Posting: The voter receives a receipt (cryptographic hash, serial, code), and the ballot is appended to the board. In dual or code-based systems, paper receipts or shortcodes are used (Chondros et al., 2015, Crimmins et al., 2021, Culnane et al., 2014, Agrawal et al., 2019).
Verification: Voters (when diligent) look up their receipt or serial on the board, confirming their vote was “recorded as cast” (Burton et al., 2015, Crimmins et al., 2021, Chondros et al., 2016).
Tallying: Either homomorphic aggregation and threshold decryption, or verifiable mixing followed by decryption and public proof. All steps are accompanied by non-interactive ZKPs or challenge/response logs (Benaloh et al., 2015, Chondros et al., 2015, Culnane et al., 2014).
Auditing: Anyone may download the complete set of board data and cryptographic proofs, replay each verification check, and confirm the tally. In advanced settings (OpenVoting), partial failures can be localized and the system recovers by having only implicated booths re-run, preserving the integrity of the valid partial tally (Agrawal et al., 2019).

5. Deployed Systems, Practical Considerations, and Case Studies

Representative systems and deployments highlight both architecture and practical trade-offs:

Helios: A web-based E2E-V system employing homomorphic tallying and cast-or-challenge flow; widely used for university and organizational elections. Usability is constrained by user participation in spoil/cast-or-challenge steps (Benaloh et al., 2015, Ali et al., 2016).
Prêt à Voter and vVote: Paper-based with randomized ballot forms encoding candidate order; mix-net backend. Used in the 2014 Victorian State Election, supporting both supervised poll-site and remote voting for visually impaired users. Receipt checking rates were ~13% in the field (Culnane et al., 2014, Burton et al., 2015).
D-DEMOS: A fully distributed, human-verifiable internet voting system; no single point of failure except for initial setup. Deployed in large-member organizational elections and national exit polls in Greece. Scales to 250 million ballots with sub-second vote collection latency (Chondros et al., 2015, Chondros et al., 2016).
OpenVoting: Dual E2E/VVPR approach enabling per-booth failure localization and re-vote, without forfeiting auditability or privacy. Designed for minimal additional cognitive requirements on the voter (Agrawal et al., 2019).
RemoteVote/SAFE Vote: Extensions bringing E2E-V to vote-by-mail, using scratch-off codes, ballot pairs, and advance publication of commitments to bridge physical verification gaps (Crimmins et al., 2021).
VoteMate & Blockchain-backed E2E-V: Smart-contract enforced aggregation, receipt issuance, and threshold decryption on public ledgers. Proofs of aggregation and correct decryption are all on-chain (Homoliak et al., 21 May 2025, Tahboub et al., 26 Sep 2025).
Multivariate (Post-Quantum) E2E-V: Eliminates number-theoretic hardness assumption exposure, instead relying on MQ for encryption, signing, and commitment. Proposed for settings where quantum risk is relevant (Srivastava et al., 19 Dec 2025).

Key deployment feedback: E2E-V is usable by diverse populations when properly guided (e.g., >75% rated vVote “easy to use” (Burton et al., 2015)). However, verification rates may remain low, leaving overall detection probability dependent on small, unpredictable subsets of voters and independent auditors.

6. Open Challenges, Usability, and Future Directions

Notable technical and operational challenges persist:

Usability and Participation: Voters must be clearly incentivized or guided to perform audits/challenges; observed (Helios, vVote) rates are often <10%. UX research and frictionless verification, including batch or delegated approaches, remain active priorities (Haq et al., 2022, Crimmins et al., 2021, Ali et al., 2016).
Legal and Governance Integration: Ensuring legal admissibility of cryptographic evidence, regulatory mandates for open posting, and training officials to interpret results are pivotal for deployment beyond pilots (Haq et al., 2022, Ali et al., 2016).
Scalability and Performance: For large elections, proof generation and bulletin board publication must be amortized (e.g., via Merkle trees, batch proofs, blockchain anchoring) without compromising verifiability (Chondros et al., 2015, Tahboub et al., 26 Sep 2025, Homoliak et al., 21 May 2025).
Coercion-resistance and Receipt-freeness: Making receipts untransferable, adopting protocols that withstand strong threat models (JCJ/Civitas), and leveraging split-ballot or commitment-only flows, especially for remote or unsupervised contexts (Culnane et al., 2014, Ali et al., 2016, Müller et al., 2023).
Post-Quantum Transition: Replacing all number-theoretic hardness dependencies with MQ, lattice, hash-based, or code-based primitives, while retaining efficient, robust ZK and commitment techniques (Srivastava et al., 19 Dec 2025).
Adapting to Developing-Country Constraints: Hardware and connectivity constraints, sociopolitical opposition, and limited election management capacity challenge direct translation of developed-world E2E paradigms. Frugal, locally adapted protocols and audit flows are a major research agenda (Haq et al., 2022).

7. Variants and Special Contexts

Vote-by-Mail: Protocols such as RemoteVote and SAFE Vote adapt E2E-V to environments with only a postal channel between voter and authority, emphasizing harmless, ignorable verification and resilient auditability (Crimmins et al., 2021).
Low-tech/Boardroom Voting: E2E concepts extend even to no-computer, physical proofs of cast-as-intended, collected-as-cast, and tallied-as-collected correctness, using foldable ballots and visual secrets to achieve privacy and verifiability (Blanchard et al., 2020).
Dual E2E-V+VVPR: Systems merging cryptographic electronic voting with paper VVPRs, such as OpenVoting, provide not only dispute resolution and auditability, but also recoverability: only failed stations must be re-polled if verification fails (Agrawal et al., 2019).
Blockchain and Smart Contract Elections: Hybrid systems (VoteMate, Blockchain Voting System) increase transparency and transparency, allow public visibility and easy synchronization of the full election record, and enforce auditability through on-chain verification of cryptographic proofs and aggregation logic (Homoliak et al., 21 May 2025, Tahboub et al., 26 Sep 2025).

In total, the field of E2E-V e-voting represents a convergence of advanced cryptography, rigorous security definitions, distributed systems engineering, and usability research, with ongoing work refining mechanisms to ensure universal verifiability, practical deployment, and adaptability across sociopolitical and technological contexts (Benaloh et al., 2015, Culnane et al., 2014, Ali et al., 2016, Haq et al., 2022, Chondros et al., 2015, Srivastava et al., 19 Dec 2025).