Papers
Topics
Authors
Recent
Search
2000 character limit reached

Silent Vote Mechanisms

Updated 5 July 2026
  • Silent Vote is a family of voting protocols that preserve vote influence while keeping individual ballot choices hidden.
  • It employs techniques like secret sharing, receipt-freeness, and risk-limiting tallies to secure and verify votes without compromising privacy.
  • These methods mitigate coercion and are extensible to various domains, including electronic voting, blockchain systems, and LLM inference.

“Silent vote” denotes a family of mechanisms in which a vote affects an outcome while its origin, content, or evidentiary force remains hidden. In electronic voting, the phrase commonly refers to a ballot that is individually verifiable yet not transferable as proof, as in receipts that mix a voter’s choice with other valid-looking choices (0808.2431). In information-theoretic and self-tallying protocols, it denotes tallying procedures in which ballots remain secret-shared and only an aggregate result is reconstructed (0806.1931, Najarkolaei et al., 2022). In risk-limiting tallying, many ballots remain “shrouded” while the winner is determined to a pre-specified risk limit (Jamroga et al., 2019). In social-choice theory, “silent voters” are abstaining honest voters whose non-participation is handled by rules that add virtual support for the status quo (Meir et al., 2020). In 2026, the term was also repurposed in LLM inference, where the “Silent Vote” is the probability mass assigned to semantic synonyms and discarded by constrained decoding (Badhe et al., 10 May 2026).

1. Security properties and conceptual axes

Across the cited literature, silent-vote mechanisms are organized around a recurring cluster of properties: ballot privacy, individual verifiability, universal verifiability, fairness, receipt-freeness, coercion mitigation, and self-tallying. “A Simple E-Voting Protocol” explicitly targets anonymity or vote privacy, individual verifiability, a weak sense of universal verifiability, software independence, receipt usefulness without proof of vote, and robustness against fraudulent votes (0808.2431). “Information-Theoretically Secure Voting Without an Honest Majority” instead emphasizes unconditional ballot privacy and information-theoretic correctness, while noting that it does not address coercion resistance or receipt-freeness (0806.1931). “BVOT: Self-Tallying Boardroom Voting with Oblivious Transfer” defines perfect ballot secrecy, fairness, self-tallying, and dispute-freeness in a small-election setting with public communications (Javani et al., 2020).

A central distinction is between secrecy and deniability. Some protocols permit a voter to verify that a vote was counted correctly but deliberately prevent the voter from producing a convincing proof of how the vote was cast. In the receipt-based protocol of (0808.2431), the receipt is signed and usable for complaints, but it lists all candidates with valid IDs, so it is not intended to prove the actual choice. By contrast, several information-theoretic constructions are not receipt systems at all; they hide the ballot through secret sharing or threshold cryptography and reveal only the tally or an anonymously permuted multiset of votes (Najarkolaei et al., 2022, Wang et al., 2016).

A second distinction is between full revelation and selective revelation. Conventional tallying reveals every ballot or a detailed aggregate. Risk-limiting tallying deliberately leaves many ballots unrevealed while still bounding the probability of announcing a wrong winner set by a specified α\alpha (Jamroga et al., 2019). This suggests that silent-vote design is not a single cryptographic primitive, but a broader design objective: to preserve the causal effect of a ballot while minimizing what the public transcript reveals about individual choices.

2. Verifiable secrecy in receipt-based electronic voting

“A Simple E-Voting Protocol” constructs a receipt around a random identifier assigned before the voter chooses. The machine generates a fresh random ID IDvID_v, displays it to the voter, and after the choice cc^* is made, prints one line per candidate. For the chosen candidate, the receipt contains (c,IDv)(c^*, ID_v); for every other candidate, it contains a previously used ID associated with that candidate. Formally, the receipt is a list

Rv={(c1,IDc1),,(ck,IDck)},R_v = \{(c_1,ID_{c_1}),\ldots,(c_k,ID_{c_k})\},

with IDcj=IDvID_{c_j}=ID_v only for the selected candidate (0808.2431). The machine signs the receipt, the voter checks it behind glass, and after the election the public website lists all (ID,choice)(ID,\text{choice}) pairs. A voter verifies correctness by searching for IDvID_v and confirming that it appears exactly once next to the intended candidate.

The protocol’s silent-vote property lies in the ambiguity of the receipt. Every line corresponds to a valid vote of some voter, but only the receipt holder knows which line carries the newly assigned ID. This yields a form of receipt-freeness: the voter can verify inclusion and can complain if the published website contradicts the signed receipt, yet a coercer who inspects the receipt cannot tell which candidate was actually selected. The protocol is explicit, however, that it does not fully solve coercion threats. If an adversary collects many receipts and knows vote order, negative inferences remain possible; the protocol provides some degree of receipt-freeness, not full coercion-resistance (0808.2431).

The split-ballot architecture of vVote implements the same design logic in a more developed end-to-end verifiable system. vVote used a Candidate List (CL), containing candidate names in a randomized order and a QR code, and a Preference Receipt (PR), listing the voter’s ranked preferences in the same random order but without candidate names. After the voter checks that CL and PR match, the CL is destroyed and only the PR leaves the polling place (Burton et al., 2015). This makes the receipt non-revealing while preserving cast-as-intended and recorded-as-cast verification. The system was deployed in the Victorian State election and processed 1121 votes, of which 973 were from London and 148 from 24 centres across Victoria; electronic votes were 98.13% formal versus 95.7% for paper (Burton et al., 2015).

vVote is also notable because it was, as described in the paper, the first time blind voters were able to cast a fully secret ballot in a verifiable way in a state-level statutory election. Blind and low-vision voters used an Electronic Ballot Marker with audio prompts, headphones, and a tactile keypad overlay; both CL and PR could be read aloud, separately or together, so verification was accessible without exposing vote content to helpers (Burton et al., 2015). A common misconception documented in the deployment was that the receipt revealed the vote. The paper states that more than half of surveyed voters believed this, but the PR alone does not reveal the vote once the CL has been destroyed (Burton et al., 2015).

3. Information-theoretic and self-tallying constructions

The information-theoretic line of work pursues silent voting by ensuring that individual ballots are never recoverable from the protocol transcript, even for computationally unbounded adversaries. “Information-Theoretically Secure Voting Without an Honest Majority” presents three protocols. Protocol 1 uses distributed bits and a simultaneous broadcast channel among voters; Protocols 2 and 3 introduce authorities, requiring only that at least one authority be honest. Privacy is unconditional, and if the protocol does not fail, correctness holds except with probability 2Ω(s)2^{-\Omega(s)}, where ss is the security parameter (0806.1931). Protocol 3 adds cut-and-choose verification and ballot revocation to prevent corrupt voters from forcing failure, though a corrupt authority can still revoke honest ballots or abort the protocol.

“Information-Theoretic Secure and Private Voting System” gives a Shamir-secret-sharing construction for IDvID_v0 authorized voters and IDvID_v1 candidates plus abstention. Each vote is a one-hot vector IDvID_v2, and the final tally is

IDvID_v3

With IDvID_v4, where IDvID_v5 is the number of malicious voters tolerated, the protocol achieves correctness, privacy, and robustness. Privacy is expressed information-theoretically by the entropy condition

IDvID_v6

for any colluding set IDvID_v7 of at most IDvID_v8 voters (Najarkolaei et al., 2022). Verification uses VSS and BGW-style product checks so that malformed ballots are detected without revealing the voter’s selected coordinate.

Self-tallying boardroom protocols replace trusted talliers with public algebra. BVOT uses a multiparty threshold homomorphic ElGamal system in which each candidate is associated with masked unique primes. A voter obtains exactly one masked prime through IDvID_v9, encrypts it, and broadcasts the ciphertext. After all votes are cast, all decryption shares and the unmasking factor are broadcast, and anyone can compute a product of candidate primes whose exponents equal the vote counts (Javani et al., 2020). The protocol achieves ballot secrecy, fairness, and dispute-freeness without zero-knowledge proofs, but it does not achieve robustness or coercion-resistance.

Quantum constructions realize silent voting with entanglement rather than classical cryptography. “Self-tallying Quantum Anonymous Voting” uses two multipartite states, cc^*0 and cc^*1. The first generates ballot numbers whose row sums are always zero modulo cc^*2; the second generates a random permutation of index numbers, one per voter. Each voter adds their vote to exactly one row indexed by their secret cc^*3, and after simultaneous broadcast the row sums

cc^*4

form a permutation of the individual votes cc^*5 (Wang et al., 2016). Anyone can tally by counting occurrences, while no one can link a row to a voter except the voter who knows the corresponding index.

4. Human-facing, low-tech, and blockchain realizations

Silent-vote design is not confined to heavy cryptography. “Blind proxy voting” modifies a standard paper ballot by splitting it into a grid and a grille. The Registering Authority (RA) assigns a unique ID and receives only the grid and checksum; the Electoral Committee (EC) later reconstructs full ballots from grids and grilles but does not know the voter corresponding to the ID; a proxy sees only the grille and ID, not the grid (Haniková, 2018). The proxy can physically insert the absentee ballot into the box without learning how the principal voted. The mechanism relies on organizational separation rather than formal cryptographic proof, and the paper is explicit that it is not end-to-end verifiable.

“Boardroom Voting: Verifiable Voting with Ballot Privacy Using Low-Tech Cryptography in a Single Room” is an explicitly low-tech realization for roughly 3–40 voters. It uses foldable ballots that can be rotated under a black cloth so observers cannot map visible cells to candidate labels, together with “visual secrets” stamped in invisible ink (Blanchard et al., 2020). At tally time, the visual secrets are revealed, ballots are unfolded, and each voter identifies their own ballot by recognizing the secret pattern while remaining unable to prove to others which ballot was theirs. The protocol offers weak verifiability: a voter can detect malfeasance affecting their own vote, but cannot necessarily convince third parties. This is deliberate, since transferable proof would undermine resistance to undue influence.

Blockchain-based systems use distributed ledgers as commitment layers rather than as primary anonymity mechanisms. SHARVOT represents each vote as a Shamir share of a candidate-specific secret key and uses Circle Shuffle to de-link voters from their submissions. If a candidate obtains at least cc^*6 valid shares, that candidate reconstructs the secret key and spends the election pot through the script, which serves as public evidence of victory (Bartolucci et al., 2018). The protocol targets privacy, transparency, and ballot irrevocability, but the paper does not claim coercion-resistance.

The 2025 “Blockchain Voting System” proposes a hybrid design in which encrypted ballots are stored on a private, permissioned blockchain maintained by organizers and neutral observers, while only hashes of block batches are anchored on a public blockchain. Eligibility is decoupled from ballot casting through one-time blind-signed tokens, and receipts permit inclusion checking without exposing vote content (Tahboub et al., 26 Sep 2025). The prototype uses Next.js, React, Firebase, and a custom chain. This architecture is explicitly presented as a way to make votes private, unlinkable to identity, yet verifiable and tamper-evident (Tahboub et al., 26 Sep 2025).

5. Shrouding, abstention, and the management of visible silence

A major criticism of conventional end-to-end verifiable voting is that even perfectly encrypted or mixed ballots may leak information through the announced result. “Risk-Limiting Tallies” argues that if all votes go to one candidate, ballot privacy effectively evaporates, and very unpopular candidates or complex ballot patterns enable coercion and “Italian” attacks (Jamroga et al., 2019). The proposed response is to reveal only a random subset of ballots, in random order, until the winner can be certified to risk limit cc^*7. The tally is produced as a sequential statistical test rather than by decrypting every ballot. Unrevealed ballots remain “shrouded,” so a coerced voter can plausibly claim that the demanded vote lies among those not opened. The same paper extends the idea to Risk-Limiting Verification in Selene, where not all vote trackers are revealed, thereby strengthening plausible deniability (Jamroga et al., 2019).

The statistical core of RLT is pairwise testing of hypotheses cc^*8, where cc^*9 is defined by assigning ballot labels (c,IDv)(c^*, ID_v)0, (c,IDv)(c^*, ID_v)1, or (c,IDv)(c^*, ID_v)2 depending on whether a ballot supports (c,IDv)(c^*, ID_v)3 but not (c,IDv)(c^*, ID_v)4, (c,IDv)(c^*, ID_v)5 but not (c,IDv)(c^*, ID_v)6, or neither/both. A martingale-based test statistic (c,IDv)(c^*, ID_v)7 is updated as ballots are revealed, and if (c,IDv)(c^*, ID_v)8, the null is rejected at risk at most (c,IDv)(c^*, ID_v)9 (Jamroga et al., 2019). The resulting silent-vote property is not that ballots are permanently encrypted, but that many are never revealed at all.

A different treatment of silence appears in “Safe Voting: Resilience to Abstention and Sybils,” where silent voters are abstaining honest voters Rv={(c1,IDc1),,(ck,IDck)},R_v = \{(c_1,ID_{c_1}),\ldots,(c_k,ID_{c_k})\},0 rather than hidden ballots. The paper studies Reality-aware Social Choice with a distinguished status quo Rv={(c1,IDc1),,(ck,IDck)},R_v = \{(c_1,ID_{c_1}),\ldots,(c_k,ID_{c_k})\},1 and defines a Rv={(c1,IDc1),,(ck,IDck)},R_v = \{(c_1,ID_{c_1}),\ldots,(c_k,ID_{c_k})\},2-Status-Quo Enforcing mechanism

Rv={(c1,IDc1),,(ck,IDck)},R_v = \{(c_1,ID_{c_1}),\ldots,(c_k,ID_{c_k})\},3

where Rv={(c1,IDc1),,(ck,IDck)},R_v = \{(c_1,ID_{c_1}),\ldots,(c_k,ID_{c_k})\},4 is a set of Rv={(c1,IDc1),,(ck,IDck)},R_v = \{(c_1,ID_{c_1}),\ldots,(c_k,ID_{c_k})\},5 virtual voters, all voting for Rv={(c1,IDc1),,(ck,IDck)},R_v = \{(c_1,ID_{c_1}),\ldots,(c_k,ID_{c_k})\},6 (Meir et al., 2020). In the binary case, the resulting rule selects proposal Rv={(c1,IDc1),,(ck,IDck)},R_v = \{(c_1,ID_{c_1}),\ldots,(c_k,ID_{c_k})\},7 only if the fraction supporting Rv={(c1,IDc1),,(ck,IDck)},R_v = \{(c_1,ID_{c_1}),\ldots,(c_k,ID_{c_k})\},8 exceeds Rv={(c1,IDc1),,(ck,IDck)},R_v = \{(c_1,ID_{c_1}),\ldots,(c_k,ID_{c_k})\},9. Safety and liveness are jointly achievable iff

IDcj=IDvID_{c_j}=ID_v0

where IDcj=IDvID_{c_j}=ID_v1 bounds sybil penetration and IDcj=IDvID_{c_j}=ID_v2 bounds abstention among honest voters (Meir et al., 2020). Here silence is encoded conservatively as implicit support for reality. This is not a privacy mechanism, but it belongs to the same conceptual field insofar as the political meaning of non-expression is modeled explicitly rather than ignored.

These two literatures address a common misconception from opposite directions. One misconception is that secrecy alone solves coercion; RLT shows that the public tally may still leak too much (Jamroga et al., 2019). Another is that abstention is neutral; status-quo enforcing rules show that silence changes the safety–liveness frontier and therefore must be modeled explicitly (Meir et al., 2020).

6. Extensions beyond electoral voting

The silent-vote idea has migrated into domains where voting is not about public office. Privocracy replaces high-privilege administrative actions with a weighted e-voting procedure over commands. Votes are Shamir-shared, committed with Pedersen commitments, and aggregated by AVSS and ABA; the command executes only if

IDcj=IDvID_{c_j}=ID_v3

The system is designed so that, under the intended TEE model, only a single approval bit leaves the secure environment, while individual votes remain confidential with “everlasting privacy” (Camponês et al., 1 Feb 2026). Delegation, emergency votes, and selective audit votes extend the scheme from ballot secrecy to operational governance.

The most distant extension is terminological rather than institutional. “The Silent Vote: Improving Zero-Shot LLM Reliability by Aggregating Semantic Neighborhoods” defines the Silent Vote as the probability mass assigned to semantic synonyms that standard constrained decoding discards. Standard constrained decoding uses

IDcj=IDvID_{c_j}=ID_v4

thereby renormalizing over the label tokens only (Badhe et al., 10 May 2026). Semantic Softmax instead aggregates the semantic neighborhood of each label using a thresholded cosine-similarity kernel

IDcj=IDvID_{c_j}=ID_v5

and then computes

IDcj=IDvID_{c_j}=ID_v6

On GoEmotions and Civil Comments, using Qwen-3-1.7B and Phi-4-mini, the method reduced ECE substantially while also improving Brier Score, AUROC, and Macro-F1. For example, on GoEmotions with Qwen-3-1.7B, ECE fell from IDcj=IDvID_{c_j}=ID_v7 to IDcj=IDvID_{c_j}=ID_v8, Brier from IDcj=IDvID_{c_j}=ID_v9 to (ID,choice)(ID,\text{choice})0, AUROC rose from (ID,choice)(ID,\text{choice})1 to (ID,choice)(ID,\text{choice})2, and Macro-F1 from (ID,choice)(ID,\text{choice})3 to (ID,choice)(ID,\text{choice})4 (Badhe et al., 10 May 2026).

This suggests that “silent vote” has evolved into a more abstract designation for hidden but consequential support: hidden candidate preferences in receipts, hidden ballots in risk-limiting tallying, hidden approvals in access control, abstaining citizens whose silence must be modeled, and hidden semantic evidence in language-model inference. The electoral core remains dominant, but the term now names a general problem of preserving influence while suppressing linkability or overexposure.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Silent Vote.