Receipt-Free Electronic Voting from zk-SNARK

Maryam Sheikhi, Rosario Giustolisi and Carsten Schuermann

IT University of Copenhagen, Copenhagen, Denmark

Keywords:

Electronic Voting, Receipt-Freeness, Everlasting Privacy, Participation Privacy.

Abstract:

In 2016, Locher and Haenni (Locher and Haenni, 2016) proposed an e-voting scheme that offers veriﬁability,

everlasting vote privacy, and computational receipt-freeness, as well as an informal discussion of how the

scheme achieves such properties. We advance this line of work by proposing a new cryptographic scheme that

provably satisﬁes those properties as well as everlasting participation privacy and efﬁcient tallying. Receipt-

freeness relies on deniable vote updating and veriﬁable null ballot posting, generated from public knowledge

stored on the bulletin board. The everlasting vote and participation privacy properties directly result from

the hash-based commitment scheme and efﬁcient zero-knowledge proofs (SNARKs). Finally, we provide

mathematical proofs for all the properties, including a new game-based deﬁnition of participation privacy.

1 INTRODUCTION

In 2016, Locher and Haenni (Locher and Haenni,

2016) proposed an e-voting scheme that offers com-

putational receipt-freeness, veriﬁability, and everlast-

ing vote privacy with minimal trust assumptions. Ver-

iﬁability guarantees a veriﬁcation of the accuracy of

the election outcome, even if not all election partici-

pants are honest. Vote privacy refers to what can be

learned about the link between a vote and the iden-

tity of the voter. Most voting schemes guarantee vote

privacy under standard cryptographic assumptions,

which means that vote privacy depends directly on the

choice of key sizes which are expected to be broken

once computing power has caught up. In contrast,

Locher and Haenni’s scheme guarantees everlasting

vote privacy, which is independent of key sizes and

other computational assumptions. It also guarantees

that voters are unable to convince a third party about

the way they voted, even if they are willing to do so,

a property that is called receipt-freeness and that pre-

vents vote-buying and mitigates voter coercion.

In this work, we propose an e-voting scheme that

introduces a credential protocol for voter registra-

tion and vote submission through a combination of

hash-based commitment scheme and efﬁcient zero-

knowledge proofs (zk-SNARKs). Our scheme satis-

ﬁes veriﬁability, everlasting vote privacy, and com-

putational receipt-freeness. Furthermore, we prove

that our scheme also guarantees participation privacy,

which means that an adversary cannot learn from the

information published on the bulletin board, if a voter

has voted or not, i.e. participated in the election. Most

e-voting schemes resort to digitally signed ballots,

which protect the integrity of the vote from modiﬁca-

tion by malicious parties but usually reveal if a voter

has participated in the election or not.

• We propose an e-voting scheme with everlast-

ing vote privacy, everlasting participation privacy,

receipt-freeness, and veriﬁability based on mini-

mal trust assumptions.

• We provide a new deﬁnition of everlasting partici-

pation privacy and prove that our e-voting scheme

satisﬁes this deﬁnition.

• We prove that our scheme also meets vote privacy

and receipt-freeness.

2 RELATED WORK

Benaloh and Tuinstra (Benaloh and Tuinstra, 1994)

proposed the ﬁrst scheme achieving receipt-free vot-

ing. Their idea was later extended by Sako and Kil-

ian (Sako and Kilian, 1995), who apply mix-networks

that shufﬂe the order of encryption of yes/no votes

and then send the order to the voter through an untap-

pable channel. Different ﬂavours of receipt-freeness

properties based on untappable channels with vari-

ous cryptographic schemes and efﬁciency guarantees

were introduced in (Okamoto, 1997; Hirt and Sako,

2000; Ryan et al., 2016) and in coercion-resistance

254

Sheikhi, M., Giustolisi, R. and Schuermann, C.

Receipt-Free Electronic Voting from zk-SNARK.

DOI: 10.5220/0012140000003555

In Proceedings of the 20th International Conference on Security and Cryptography (SECRYPT 2023), pages 254-266

ISBN: 978-989-758-666-8; ISSN: 2184-7711

 2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

Table 1: Comparison of different receipt-free voting schemes. We use the notation from (Haines et al., 2023). A security

property not relying on any trust assumption is denoted by +. DT

denotes the distributed trust assumption on tally servers.

denotes trust on a third party. N/C denotes a property that is not claimed, while N/A denotes a not-applicable property.

Property BelenoisRF KTV-Helios Locher & Haenni This scheme

Computational vote privacy DT

+ +

Everlasting vote privacy N/A N/A + +

Computational participation privacy N/A T

N/C +

Everlasting participation privacy N/A N/A N/C +

Veriﬁability T

+ +

Computational receipt-freeness T

schemes (Juels et al., 2005; Bohli et al., 2007). In

BeleniosRF (Chaidos et al., 2016), a trusted random-

ization server provides receipt-freeness. Kulyk et al.

(Kulyk et al., 2015) extended Helios (Adida, 2008)

allowing a voter to update their vote by revoting and

nullifying the previous ballot. In this scheme, receipt-

freeness is achieved thanks to dummy ballots that are

cast by a trusted third party. The scheme also pro-

vides participation privacy, which is based on the in-

distinguishability of dummy ballots from ballots cast

by voters. All the schemes above achieve computa-

tional vote privacy but not everlasting privacy.

(Moran and Naor, 2006) introduced a veriﬁable

receipt-freeness scheme with everlasting privacy us-

ing an untappable channel that models a private

polling booth. (Demirel et al., 2012; Demirel et al.,

2013) proposed enhancements to Helios (Adida,

2008) and Pr

a voter (Ryan et al., 2009) with ever-

lasting privacy, which is achieved by perfectly hiding

and computationally binding commitment schemes

and untappable channels. However, those schemes as-

sume that the voting server is trusted (Demirel et al.,

2012; Buchmann et al., 2013; Demirel et al., 2013).

(Locher and Haenni, 2015) proposed a scheme that

meets everlasting privacy without trusted authorities

and computational hardness assumptions. They later

enhanced their scheme to provide receipt-freeness

(Locher and Haenni, 2016), which can be obtained

by a trust assumption on the tally phase. However,

they only provide an informal discussion of how the

scheme achieves its properties.

Table 1 summarizes the comparison between our

scheme and previous receipt-free e-voting schemes.

BeleniosRF and KTV-Helios achieve receipt-freeness

and veriﬁability, assuming a trusted third party. They

are not designed to achieve everlasting privacy. KTV-

Helios is one of the few e-voting schemes that pro-

vides computational participation privacy against a

computationally bounded adversary. Locher and

Haenni provide a scheme that can achieve everlasting

privacy and veriﬁability without the need for trusted

parties. Our scheme has the same trust assumption as

their scheme and provably achieves everlasting par-

ticipation privacy without the need for trusted parties.

3 CRYPTOGRAPHIC

PRELIMINARIES

In this section, we present the deﬁnitions and the se-

curity properties of the cryptographic primitives that

form the building blocks of our voting scheme. We

also provide a foretaste of how we intend to use the

cryptographic primitives in our scheme.

ElGamal Encryption Scheme. The ElGamal en-

cryption scheme is a triple of PPT algorithms (Key-

Gen, Enc, Dec) deﬁned as follows.

• KeyGen(λ) → (P , pk,sk) : on input of security

parameter λ and sk ∈

, it derives the public

parameter P = (G, q,g) and computes pk = g

P contains a cyclic group G of prime order q gen-

erated by g. When derivable from the context, we

omit P from the public and secret keys.

• Enc(m,((G,q, g), pk)) → (c

): on input of a

message m and public key pk, it chooses r ∈

and outputs (c

), where c

= g

, c

= m · pk

The message m is of form m = g

where a ∈ Z

• Dec((c

),((G,q, g),sk)) → m: on input a ci-

phertext (c

), it outputs m = c

· c

−sk

The ElGamal encryption scheme satisﬁes semantic

security under the Difﬁe-Hellman assumption. For

the encryption scheme, we use the NM-CPA secu-

ritr deﬁnition. The ElGamal ciphertext with a Schnorr

proof is NM-CPA secure in the random oracle model.

For our election scheme, pk

denotes the pub-

lic encryption key and sk

denotes the decryption

key, such that pk

= g

. The decryption key can

be distributed using (k,n) Shamir secret sharing so

that k > 1 out of n shares are required to decrypt

the ciphertext (Brandt, 2005). A re-encryption of

a given ciphertext (c

) with a new r

′

∈

can

Receipt-Free Electronic Voting from zk-SNARK

255

be simply computed by multiplying the ciphertext to

the encryption of zero i.e g

(or m = 1 ), namely,

reEnc((c

), pk) = (c

) · Enc(g

, pk). The re-

encryption result of a given ciphertext can be de-

scribed as Enc(g

, pk) with randomness r +r

′

. As we

shall see later on the description of our voting scheme,

we denote the encryption of the message g

with pub-

lic key pk and randomness r by enc

(m;r).

We use Re-encryption mix servers in the tally

phase of our scheme. Given a set of El-Gamal

ciphertexts {(c

),(c

),. ..,(c

)}

and a uniformly random secret permutation

ρ, the mix servers output {(c

′

ρ(1)1

′

ρ(1)2

′

ρ(2)1

′

ρ(2)2

),. ..,(c

′

ρ(n)1

′

ρ(n)2

)}. This can be

done by re-encrypting the ciphertexts, and it is

infeasible for a computationally bounded adversary

to match inputs and outputs. Indeed, (c

′

)

ρ(i)

a re-encryption of (c

)

for a sequence of secret

permutations and random re-encryptions. Each mix

server generates a proof of correct computation of the

output, which satisﬁes the input and the public key.

Commitment Scheme. A commitment scheme is a

triple of PPT algorithms (Setup, Commit, Open) de-

ﬁned as follows.

• Setup(λ) → P P : on input a security parameter λ,

it outputs the public parameters PP , including a

description of the message space M , commitment

space, and commitment key space.

• Commit(P P , m) → (c,r): on input PP , and a

message m ∈ M , it outputs a commitment c and

the opening randomness r.

• Open(P P , (c, m,r)) → 0/1: on input a commit-

ment c on message m with randomness r, it out-

puts 1 if accept and 0 otherwise.

A secure commitment scheme satisﬁes correctness,

binding, and hiding properties as follows:

• Correctness. For every m ∈ M ,





Setup(λ) → PP

Commit(P P , m) →

(c,r)



Open(P P , (c, m,r)

→ 1





= 1

• Hiding. For all PPT adversaries A , there exists a

negligible ε such that ∀λ ∈ N,







Setup(λ) → PP

A(λ) → (st,m

)

b → {0,1}

Commit(P P , m

) →

(c,r)

A(st,c) → b

′



b = b

′







≤ 1/2 + ε(λ)

• Binding. For all PPT adversaries A, there exists a

negligible ε such that ∀λ ∈ N,







Setup(λ) → P P

A(λ) → (c,m, r,m

′

)

b → {0,1}

Open(P P ,(c,m,r)) → b

Open(P P ,(c,m

′

)) → b

′



m ̸= m

′

∧

b = b

′

= 1







≤ ε(λ)

A commitment scheme is perfectly hiding against

a computationally unbounded adversary if the scheme

satisﬁes the hiding property with ε = 0. A commit-

ment scheme is statistical hiding against a computa-

tionally unbounded adversary if the scheme satisﬁes

the hiding property with the adversary advantage at

most ε(λ). A commitment scheme is perfectly bind-

ing against a computationally unbounded adversary if

the scheme satisﬁes the binding property with ε = 0.

In our scheme, we use the SHA-commitment

scheme. The public parameters are assumed to be

generated in an initial setup phase and publicly known

to all parties thereafter. We simply write c = H(cr,t)

for a hash commitment to a message cr with opening

randomness t.

Digital Signature Scheme. A digital signature

scheme is a triple of PPT algorithms (KeyGen, Sign,

verify) are deﬁned as follows.

• KeyGen(λ) → (sk

, pk

) : on input a security pa-

rameter λ, it outputs a signing key pair (sk

, pk

with pk

denoting the veriﬁcation key and sk

the

signing key.

• Sign(sk

,m) → σ: on input a message m ∈ {0,1}

∗

and a signing key sk

, it outputs a signature σ on

message m.

• Verify(σ,m, pk

) → 0/1: on input a signature σ

on message m and a veriﬁcation key pk

, it out-

puts 1 if it accepts the signature and 0 otherwise.

A digital signature scheme satisﬁes correctness

and existential unforgeability properties (Katz and

Lindell, 2007). In our scheme, the registrar signs the

list of registered voters and publishes the signed list

on the bulletin board.

zk-SNARK. A Zero-Knowledge Succinct Non-

interactive Argument of Knowledge (zk-SNARK) is

a cryptographic proof primitive. To achieve the suc-

cinctness it uses pre-processing for arithmetic circuit

satisﬁability. It assumes an algorithm running as a

one-time trusted setup for preprocessing. Proof gen-

eration and veriﬁcation depend on the output of the

preprocessing setup.

Let R

, λ ∈ N is security parameter, be a

polynomial-time decidable relations R on pairs (x, ω)

where x is the statement, and w is the witness. We de-

note R(x,ω) = 1 to show that (x,ω) satisﬁes on R and

SECRYPT 2023 - 20th International Conference on Security and Cryptography

256

R(x,ω) = 0 otherwise. A preprocessing zk-SNARK

for R

is a triple of PPT algorithms (KeyGen, Prove,

Verify) deﬁned as follows.

• KeyGen(R,λ) → (pk,vk): on input a security pa-

rameter λ and a relation R represented as an arith-

metic circuit of size polynomial in λ, it outputs pk

as a proving key and vk as a verifying key.

• Prove(pk,x,ω) → π: on input pk, an evaluation

key for a relation R, a statement x, and a witness

w such that R(x,ω) = 1, it outputs a proof π.

• Verify(vk, x, π) → 0/1: on input a veriﬁcation key

vk, a statement x, and a proof π, it outputs 1 to

indicate a valid proof and 0 otherwise.

zk-SNARKs are required to protect the prover

from the disclosure of the secret witness, and the ver-

iﬁer from a forged proof. We now recall the security

notions to deﬁne a zk-SNARK.

• Completeness. An honest veriﬁer always accepts

a proof made by an honest prover for a statment x

using the valid witness ω. Formally,







∀λ ∈ N,∀(x, ω) ∈ R

KeyGen(R,λ) → (pk, vk)

Prove(pk,x,ω) → π

Verify(vk, x,π) → 1







≥ 1 − ε(λ).

• Perfect Zero-Knowledge. The proof and the keys

reveal no information about the secret witness

ω. Formally, there is PPT algorithm sim =

(simGen,simPr) such that for all λ ∈ N, (x,ω) ∈

R, and PPT adversary A, the following two distri-

butions are statistically close:





KeyGen(R,λ) → (pk, vk)

Prove(pk,x,ω) → π

(pk,vk,x,π

)









simGen(R,λ) → (pk, vk,td)

simPr(pk,x,td) → π

(pk,vk,x,π

)





where td denotes the simulation trapdoor.

• Proof of Knowledge. Intuitively, every prover

generating valid proof must know a the corre-

sponding secret witness. Formally, for any PPT

prover, there exists a PPT Extractor and negligi-

ble function ε such that for all λ ∈ N, R, and any

auxiliary input m ∈ {0,1}

∗







KeyGen(R,λ)

→ (pk, vk)

Prove(pk,m)

→ (π, x)

Extract(pk,vk,m)

→ ω



Verify(vk, x,π)

→ 1

∧(x,ω) /∈ R







≤ ε(λ).

The Extractor has full access to the prover’s state, in-

cluding any random coins.

• Succinctness. For any λ ∈ N, (pk,vk), and any

binary relation R, the proof size is poly(λ) and

the veriﬁcation time is poly(λ) + |x|.

Zero-knowledge proofs are the main tool in our

protocol to achieve the voter’s privacy. In our scheme,

KeyGen samples a proving key pk and a veriﬁcation

key vk, where this preprocessing is publicly veriﬁ-

able. Both keys are published as public parameters

and can be used any number of times to prove/ver-

ify membership in L

. Thanks to zk-SNARK, a voter

can prove that they know the encryption randomness

for a ciphertext e

= (c

), the commitment c, the

opening randomness t for a voting credential cr, and

a list of commitments (a Merkle tree root) such that

c := H(cr,t). Nobody knows that the voting creden-

tial is assigned to which commitment in the voters’

commitment list. In addition, it allows us to prove

the voter’s eligibility while protecting the unlinkabil-

ity between voting credential and voter identity.

We also use zero-knowledge proofs to allow the

voter to prove 1) knowledge of the secret information

involved in the encryption of the vote, 2) knowledge

of the secret commitment related to the public com-

mitment list or Merkle tree root, and 3) knowledge

of the opening randomness of the secret commitment

related to the voting credential in the ballot. In the

tally phase, we provide proof for the validity of mix-

ing and decryption (Fiat and Shamir, 1986; Chaum

and Pedersen, 1992; Hirt and Sako, 2000; Schnorr,

1991; Camenisch and Stadler, 1997).

It is worth to note that zk-SNARK requires a one-

time trusted setup of public parameters, i.e., (pk,vk).

The violation of the trust assumption might affect the

soundness of the proofs though privacy continues to

hold even if the setup trapdoor is revealed. In (Ben-

Sasson et al., 2018), the authors proposed a transpar-

ent zero-knowledge system (zk-STARK) in which the

setup does not rely on any trusted party, and it has no

trapdoors that could be exploited by powerful parties

to prove false witness.

4 ELECTION SCHEME AND

ADVERSARY MODELS

Our e-voting scheme consists of the following par-

ticipants: the election authority E, the registrar

R , the voters I = {id

,id

,. ..,id

}, the talliers

,. ..,T

} and a public append-only bulletin

board BB. The election authority provides the fol-

lowing election public information: the candidate list,

the list of eligible voters, and the public parameters.

A voter interacts with the registrar via an authen-

ticated channel to register for the election. The reg-

Receipt-Free Electronic Voting from zk-SNARK

257

istrar authenticates eligible voters and publishes the

voter identities on the BB. It signs the list of regis-

tered voters. The BB lists the ballots, either cast by a

voter or by the BB itself, as null ballots. The talliers

publish the election result and the proofs of correct

tallying on the BB during the tally phase. The talliers

verify, mix, shufﬂe, and decrypt the selected ballots

to compute the ﬁnal result. Each tallier has a partial

decryption key of a k-out-of-n encryption scheme.

Adversary Models. We ﬁrst consider an adversary

who aims to break the privacy of the voter by link-

ing a vote to the voter. We consider the following

adversarial capabilities: A computationally bounded

adversary A can actively participate in the election,

corrupt some voters and collect all data available dur-

ing the election. To evaluate the everlasting proper-

ties, we consider a computationally unbounded ad-

versary A

′

who can access any publicly available in-

formation and knowledge from corrupted voters in

the future. As we shall see later, the cryptographic

primitives in our scheme provide statistical hiding and

zero-knowledge properties, therefore, a computation-

ally unbounded adversary has a negligible advantage

to break participation privacy and vote privacy. An-

other type of adversary is a vote buyer. A vote buyer

aims to pay rewards to dishonest voters who can con-

vince the adversary that they voted as instructed with

a receipt. In general, receipt-freeness does not prevent

an adversary from buying the voter’s private key and

voting on behalf of the voter. Our scheme is receipt-

free under the assumption that the adversary is com-

putationally limited and that the bulletin board and the

voting device are trusted.

4.1 Deﬁnition of the E-Voting Scheme

Our scheme is deﬁned in terms of eight functions, i.e.

ES =(Setup, Registervoter, Register, Vote, Valid, Ap-

pend, Tally, VerifyTally) and proceeds in ﬁve different

phases: setup, registration, voting, tally, and veriﬁca-

tion. The eight functions are deﬁned as follows.

• Setup(λ,R) → (P P ,sk

,sk

): on input a secu-

rity parameter λ and a relation R represented

as an arithmetic circuit of size polynomial in

λ, it generates the prover and veriﬁer key pair

(pk,vk) ←KeyGen(R,λ), the election encryption

key pair (pk

,sk

) ←KeyGenE(λ), the regis-

trar’s signing key pair (sk

, pk

) ←KeyGenS(λ),

the commitment parameters CR × T ←SetupC(λ)

from the commitment setup, and the public pa-

rameters P P = (G, q,g,H, pk

, pk

,(pk, vk)).

• Registervoter(id) → (c

,cr

): on implicit in-

put P P and voter identity id, it chooses a random

pseudonym cr

← CR, computes (t

) ←

Commit(P P , cr

), and returns (c

,cr

)

where t

is chosen randomly from T .

• Register(id,c

,L) → (L,rt

,σ): on input voter

identity and commitment (id,c

) and list L, it

adds (id, c

) to the list L, computes rt

and sig-

nature σ on (L,rt

) with secret register key sk

, it

then returns (L,rt

,σ).

• Vote(id,sk

, pk

,v) → β: on input voter iden-

tity id, election public key pk

, and voter se-

cret key sk

= (t

,cr

), it generates a ballot β =

,cr

,π

) with pseudonym cr

and vote v by

computing e

= enc

(v;r). In addition, it com-

putes a disjoint proof with Prove(pk

,x, ω) → π ,

where ω = (r,c

,v,t

) and x = (e

,cr

,rt

), and

simulates the null ballot proof.

• Valid(β) → 0/1: on input a ballot β =

,cr

,π

), it checks that it is valid, i.e., that

the proof is correct and it is well-formed with

Verify(vk, (e

,cr

),π

) → 0/1.

• Append(BB,β) → BB: on input a ballot β, it

appends β to BB based on D

. It generates and

appends a null ballot(s) (e

,cr

,π

) with the

pseudonym cr

based on probability distribution

and D

. It computes e

= enc

(0;r) and dis-

joint proof π

with Prove(pk

,x, ω) → π

, where

ω = (r,0), x = (e

,cr

,rt

), and it simulates the

other side of the voter’s proof.

• Tally(BB,sk

) → (s,Π): on input the public bul-

letin board, it computes the election result. It re-

turns (s, Π), where s is the election result, and Π

is proof of correct tallying, as follows.

– Run Valid(β) and return 0 if it fails.

– For each cr

appearing in the ballots, computes

∏

∈B(cr

)

where B(cr

) is the set of

,cr

,π

) identifying by cr

– Remove (cr

,π

) from each B

and mix the

ballots {B

,. ..,B

} where k is the

number of distinct pseudonym cr

, and return

the mixed ballots {B

′

,. ..,B

′

} with a proof

of valid mixing.

– For each B

′

and vote option v ∈ V apply a pri-

vacy equivalence test (PET) and provide the

corresponding proof.

– Compute the result s based on the PET for each

vote v and publish the proofs.

• VerifyTally (BB,s,Π) → 0/1: on input (s,Π), it

returns 1 if all the proofs are valid, otherwise 0.

4.2 Phases of the E-Voting Scheme

We now describe how each function is executed in

each phase. The detailed steps are in Figure 1.

SECRYPT 2023 - 20th International Conference on Security and Cryptography

258

Setup Phase: given a security parameter λ and relation R, E runs Setup(λ,R) that:

1: generates (G,q,g), threshold tuple (k, n) election key pair (pk

,sk

), Registrar key pair(pk

,sk

), commit-

ment function and parameters H : CR × T → C, and zero-knowledge proof key pair (pk, vk) for the relation

2: publishes P P = (G,q, g,H, pk

, pk

,(pk, vk)), eligible voters I , and candidate list V (as an ElGamal mes-

sage g

) on BB.

Registration Phase: a voter id runs Register(id) which

1: selects voting pseudonym cr

∈ CR;

2: computes c

= H(cr

) ∈ {0,1}

O(λ)

with t

∈ T and stores (cr

) locally.

3: sends c

to R via an authentic channel.

4: R appends (id, c

) to the list L;

5: computes the Merkle tree root rt

from the order commitments in the list L;

6: signs L and rt

and publishes on BB .

7: The voter veriﬁes c

∈ L and the Merkle tree root rt

on BB.

Voting Phase: to cast a vote v, the voter runs Vote(id,sk

, pk

,v), with sk

= (cr

), which

1: computes e

= enc

(v;r) where r ∈ Z

is the encryption randomness. In the case of nullifying the previous

vote v

pre

and voting for v

new

, the voter sets v = v

new

− v

pre

;

2: computes a zero-knowledge proof π

with the proving key pk:

= {(r,c

,v,t

)|(e

= (g

) ∧ c

= H(cr

) ∧ c

∈ rt

)} ∨ {(r,g

)|e

= (g

)};

3: submits β = (e

,cr

,π

) to the BB via an anonymous channel.

4: BB runs Valid(β) which

5: checks the validity of the proof on the ballot and veriﬁes the ballot does not already exist on BB;

6: runs Append(BB,β) which appends the ballot β and null ballots to BB.

7: The voter veriﬁes that β is appended to BB.

8: BB generates the null ballot as follows:

9: computes e

= enc

(0;r);

10: selects a cr

from a β on BB;

11: computes π

as:

= {(r,c

,v,t

)|(e

= (g

) ∧ c

= H(cr

) ∧ c

∈ rt

)} ∨ {(r,g

)|e

= (g

)}.

Tally Phase: T runs Tally(BB,sk

) which

1: veriﬁes the ballots on BB and select ballots with valid proof ;

2: computes a ﬁnal ballot for each cr

on BB by applying the homomorphic property of the encryption scheme;

3: shufﬂes, mixes, and publishes the ﬁnal ballots without cr

and provides proof of correctness;

4: applies PET on the ﬁnal ballots and selects ballots that encrypt a vote;

5: decrypts the ballots and publishes the result with proof of decryption on BB.

Veriﬁcation Phase:

1: any party can verify that tallying is performed correctly by running VerifyTally(BB,s,Π) which veriﬁes the

result and all proofs posted on tallying.

Figure 1: Election Process.

Setup Phase. E runs the Setup algorithm with se-

curity parameter 1

and relation R that generates a

threshold tuple (k, n), the candidate list V , the en-

cryption parameters (G, q,g), the election encryption

key pair (pk

,sk

), the registrar key pair (pk

,sk

the commitment scheme public parameters, and the

setup function for zk-SNARKs that results in a key

pair (pk,vk) for generating and verifying proofs.

Once completed, E publishes I = {id

,id

,. ..,id

(pk,vk), pk

, pk

, the encryption and commitment

public parameters, and the candidate list V on BB. In

addition, E deﬁnes the discrete probability distribu-

tions D

and D

used respectively to sample the num-

ber of null ballots for each pseudonym and to deter-

mine the time to cast each of them in the voting phase.

While D

can be a uniform distribution, D

is a distri-

bution that represents typical vote casting behaviour

Registration Phase. Every voter id is assumed to se-

If D

is a uniform distribution, an adversary might be

able to distinguish revoting from null ballots due to vote

casting behaviour.

Receipt-Free Electronic Voting from zk-SNARK

259

lect a pseudonym cr

with opening value t

and gen-

erates a commitment c

= H(cr

). Each voter

submits commitment c

to a registrar R via an au-

thentic channel. R publishes the commitments and

the list of voters on BB.

R also publishes a Merkle tree root rt

of the pairs

of commitments and the corresponding voter identi-

ties: L = {(c

,id

),. ..,(c

,id

)} under the regis-

trar signature σ. The voter can verify the published

commitment next to their identity. The voter with the

authentication path, which can be provided by the reg-

istrar, can verify that their commitment is a leaf of the

Merkle tree root rt

. Anyone can verify that rt

correctly built thanks to the signed list L. Note that

publishing L does not affect participation privacy be-

cause the list contains the identity and commitment of

the voters who are registered for the election.

Voting Phase. The voter submits a ballot β to the

bulletin board through an anonymous channel using

the Vote algorithm. The ballot β = (e

,cr

,π

) con-

tains an encrypted vote e

= enc

(v;r), the voting

pseudonym cr

, and a disjunctive zero-knowledge

proof π

that proves that either the ballot β was cre-

ated by a voter id in possession of the secret wit-

ness about the voter pseudonym and the encryption

randomness r, or it is a null ballot that reuses a

voting pseudonym from a ballot previously cast on

BB. More precisely, π proves the knowledge of r,

v, and t such that H(cr

) is a leaf on rt

and

= enc

(v;r), or that the β is a null ballot. Note

that cr

is unique; thus, nobody can generate a new

non-null ballot without knowing t

to generate π

However, one can generate a null ballot (i.e., an en-

cryption of zero) from a known voting pseudonym

taken from a ballot on BB.

A trusted server or the BB regularly generates

and appends null ballots to distract a potential adver-

sary observing the posts on BB from learning vot-

ing behaviors and enabling receipt-freeness. The BB

checks the validity of the proof π, then veriﬁes that

the β does not already exist on BB. A valid β is then

published on BB.

Tally Phase. All ballots with the same voting

pseudonym are added together. Then, the respective

voting pseudonym and proof are removed from the

ballots, which are shufﬂed and mixed. Only ballots

that pass a plaintext equality test (PET) are decrypted.

The talliers publish on BB the result alongside the

proofs of correct shufﬂe and decryption.

Veriﬁcation Phase. Any party can verify the result

and the proofs on BB.

5 SECURITY PROPERTIES

We prove participation privacy, receipt-freeness, and

vote privacy. Note that while we model in the proof

the tallier as a single trusted party, the result also holds

when the talliers are distributed.

5.1 Participation Privacy

A voting scheme ensures participation privacy if the

scheme only reveals the number of participants and

the results of the election. Our deﬁnition of partici-

pation privacy is inspired by a game-based deﬁnition

of ballot privacy (Bernhard et al., 2015). Kulyk et

al. (Kulyk et al., 2015) propose a quantitative deﬁni-

tion of participation privacy. Their deﬁnition captures

participation privacy for a voter based on dummy bal-

lots, which are inserted by a trusted party, to make

a voter who participates in the election indistinguish-

able from one who abstains. We propose a new def-

inition that does not rely on a trusted party casting

dummy ballots and can be also used to prove ever-

lasting participation privacy.

Deﬁnition. Given a PPT adversary A, we deﬁne the

experiment Exp

p−priv,b

A,ES

, which models an indistin-

guishability game involving two bulletin boards be-

ing tracked simultaneously. Only one of these bul-

letin boards is accessible to A depending on the bit

b ∈ {0,1} of Exp

p−priv,b

A,ES

, as deﬁned in Fig.2. The

challenger ﬂips a coin and executes the Setup phase

where P P represents the public information of an

election scheme (ES) in the Setup phase. The adver-

sary A can make multiple queries to the oracle OVote

to let an honest voter with identity id to cast a vote

for candidate v on BB

and BB

. The adversary A

can call the oracle OCast to cast a ballot on behalf of

any voter. By using these oracles, A populates both

bulletin boards with additional contents so that both

bulletin boards have the same ballots except the bal-

lots for id

and id

. In order to model vote abstention

versus vote participation, we provide A with an ora-

cle OAbstain to allow an honest voter id

to partici-

pate to the election by voting for a candidate v, while

an honest voter id

abstains on BB

or vice versa on

. The election result is computed on BB

. The

adversary can make a query to the oracle OTally to ac-

cess the result on BB

. The adversary A is allowed to

query all oracles multiple times. Note that the compu-

tationally unbounded adversary A

′

has access through

view

to the knowledge of A, but not on informa-

tion derived from the communication channels. This

is also known as practical everlasting privacy.

Deﬁnition 1. An election scheme ES achieves partic-

ipation privacy if for all adversaries A and A

′

, where

SECRYPT 2023 - 20th International Conference on Security and Cryptography

260

Exp

p−priv,b

A,A

′

,ES

(λ,L, V , R) :

(P P , sk

,sk

) ←Setup(λ,R)

(id

,id

) ← A(PP , L,V )

b ← A

(P P , L, V , id

,id

)

b ← A

′

(P P , L, V , id

,id

,view

)

output b

′

OVote(id,v) :

if v /∈ V or id /∈ L \ {id

,id

} then return ⊥

end if

β ← vote(id,sk

, pk

,v)

append(β,BB

)

append(β,BB

)

OAbstain(v) :

if v /∈ V then return ⊥

end if

← vote(id

,sk

, pk

,v)

← vote(id

,sk

, pk

,v)

append(β

,BB

)

append(β

,BB

)

OCast(β

) :

if valid(BB

,β

) = 0 then return ⊥

end if

append(BB

,β

)

append(BB

,β

)

OBoard() :

return BB

OTally() :

(s,Π

) ← tally(BB

,sk

)

return (s,Π

)

Figure 2: Participation Privacy Exp

p−priv,b

A,A

′

,ES

(λ,L,V ,R).

A is PPT,



Exp

p−priv,0

A,A

′

,ES

(λ,L, V , R) = 1

−

Exp

p−priv,1

A,A

′

,ES

(λ,L, V , R) = 1



is negligible in security parameter λ.

To evaluate the participation privacy of our

scheme, we specify the current capabilities of A and

the future capabilities of A

′

as follows: the com-

putationally bounded adversary A might be able to

vote, corrupt some voters, and has access to commu-

nication channels. However, the computationally un-

bounded adversary A

′

cannot access the (anonymous)

communication channels, but can access to any other

information in possession of A. Honest voters do not

actively prove participation or abstention to A.

Theorem 1. Our scheme has participation privacy.

Proof. We deﬁne a sequence of games, starting with

A interacting with the participation privacy chal-

lenger with b = 0, and ending with A interacting with

the participation privacy challenger with b = 1. Each

transition will be noticed by the A with a negligible

probability. Therefore, we will be able to show that A

has a negligible distinguishing advantage.

Let G be the participation privacy game corre-

sponding to Exp

p−priv,0

A,ES

(λ,L, V ). This experiment

simulates the voting scenario in our scheme where id

participates while id

does not. A sees BB

and the

result (s,Π) is returned by oracle OTally() on BB

The adversary A

′

has access to BB

via view

Let G

be the game obtained by modifying the

game G. More precisely, we modify G so that chal-

lenger that has access to the trapdoor and program-

ming random oracle provided in the setup phase sim-

ulates all zk-SNARK proofs. Since the zk-SNARK

system is perfect zero knowledge, the distribution of

the simulated π is identical to that of the proofs com-

puted in G. Hence the advantage of A and A

′

(view

)

in distinguishing these two games is zero.

Game G

is obtained by changing game G

as follows: the challenger replaces the output of

OAbstain(v) by swapping the ballots of the vot-

ers (id

) and (id

). In this case, a bal-

lot (e

,cr

,π

) is placed on BB

instead of

,cr

,π

) as a result of an OAbstain(v) query.

Based on the hiding property of the commitment

scheme and on zk-SNARK proof system, we argue

that the distinguishing probability of the participation

privacy adversary between game G

and G

is negligi-

ble in security parameter λ. To this end, we consider

a computationally unbounded adversary B against a

statistical hiding property of the commitment scheme

that makes use of the distinguishing advantage of A

between games G

and G

. The adversary B simu-

lates the games for A: let {c

1−b

} be the response

of the hiding-challenger to query {cr

,cr

}. The ad-

versary B adds (id

) and (id

1−b

) to the list

L. The adversary B simulates the answer of the or-

acle OAbstain(v) to A as follows: B computes the

encryption of the vote v and simulates the proof π cor-

responding to the ballot information β = (e

,cr

,π).

The adversary B can compute the result which is

Receipt-Free Electronic Voting from zk-SNARK

261

equal to G

. If c

is a commitment on cr

, B ex-

actly simulates the game G

, and G

otherwise. In

the game G

, the voter pseudonym cr

in the ballot

on BB

is related to (id

). However, in G

the voter pseudonym cr

, in the ballot β

, is placed

on BB

where pseudonym cr

is related to the com-

mitment c

. As a result, the advantage of A in dis-

tinguishing game G

from G

is negligible in security

parameter λ. Moreover, differences in the advantage

between these games are negligible even if the com-

putationally unbounded adversary A

′

is able to view

A’s information except the communication channels.

We have replaced the view of the adversary in

game G namely BB

to BB

in Exp

p−priv,1

A,ES

through a

sequence of the games. The advantage of the (A, A

′

)

in distinguishing the transition over the game is neg-

ligible.

5.2 Receipt-Freeness

Deﬁnitions of receipt-freeness in the computational

model usually consider indistinguishability games de-

ﬁned by oracles. We extend the receipt-freeness def-

inition by Bernhard et al. (Bernhard et al., 2017) by

allowing A to access the oracle OCast for casting a

ballot, which is the same as the one deﬁned in the par-

ticipation privacy experiment. We refer to (Bernhard

et al., 2017) for the deﬁnitions of the oracles which A

can query in the experiment Exp

r f ,b

A,EA

Deﬁnition 2. An election scheme ES achieves

receipt-freeness if there exists an algorithm sim-proof

such that for all PPT adversaries A,



Exp

r f ,0

A,ES

(λ,L, V , R) = 1

−

Exp

r f ,1

A,ES

(λ,L, V , R) = 1



is negligible in security parameter λ.

We assume that the tallier and the voting device

are trustworthy. We assume an anonymous commu-

nication channel between the voter and the voting

scheme. Also, the bulletin board that generates the

null ballots is trustworthy, and voters can cast their

ballots without being observed by the adversary A.

We show that our scheme satisﬁes receipt-

freeness, as deﬁned in the receipt-free deﬁnition in

(Bernhard et al., 2017). The oracle OVoteLR in

Exp

r f ,b

A,ES

models an honest voter id with two potential

votes v

and v

in our scheme. The oracle OReceipt

models the behavior of a voter when asked to provide

a receipt by the adversary A. The coerced voter can

provide receipts to the adversary and does not change

their votes, as illustrated on BB

. The case where a

voter decides to update their vote is modeled on BB

The function update-vote(id,sk

, pk

,v − v

) mod-

els a coerced voter who changes their vote by encrypt-

ing the vote v − v

. The obfuscate function simulates

the function of casting null ballots in our scheme.

Theorem 2. Our scheme is receipt-free under the

DDH assumption in the random-oracle model.

Proof. We consider a sequence of games, starting

from Exp

r f ,0

A,ES

and step by step change the view of the

adversary A from BB

to BB

in the Exp

r f ,1

A,ES

. We

will demonstrate that the adversary A distinguishes

the transition through all these games with a negligi-

ble advantage. In our scheme, the tally oracle simu-

lates the proofs for the tally when b = 1 using a pro-

grammable random oracle. The function sim-proof

takes as input the board BB

and the result R from

, and returns the simulated proof Π

. This proof

is indistinguishable to PPT adversaries from the proof

of correct tallying.

Let G

be the ﬁrst game corresponding to

Exp

r f ,0

A,ES

(λ,L, V , R). This experiment simulates the

voting scenario in our scheme where the coerced voter

id submits β

and does not update their vote. In this

game, the adversary A sees BB

, and the result (s,Π)

is returned by oracle OTally() on BB

Let G

be the game obtained by modifying G

with the following change: the zero-knowledge proof

in the tally phase is simulated by the algorithm sim-

proof. Thanks to the ZK property of the proof sys-

tem, the distinguishing probability of the receipt-free

adversary A between G

and G

is negligible.

Let G

be the game obtained from game G

with

the following change on BB

: the output of the oracle

OVoteLR is replaced. Precisely, the ballot β

on BB

is replaced with the corresponding ballot β

on BB

The result s is equal to the result of the game G

and

the proof is simulated by the sim-proof on the current

bulletin board, namely, BB

Let G

be the game obtained from G

with a

change on the output of the oracle OReceipt on BB

A null ballot on BB

is replaced by the update bal-

lot β

on BB

. The obfuscate function generated the

null ballots on BB

in the game G

. The result s is

equal to the result of the game G

, and the proof is

simulated by the sim-proof on BB

. In this game,

the adversary view of the content of the bulletin board

is corresponding to Experiment Exp

r f ,1

A,ES

(λ,L, V , R).

This experiment is equivalent to the voting scenario

in our scheme, where the voter id casts an additional

update ballot β

We now prove that the adversarial advantage in

SECRYPT 2023 - 20th International Conference on Security and Cryptography

262

distinguishing between the output of G

and G

negligible. Let B be an adversary against the non-

malleable CPA property of the ElGamal scheme. The

adversary B simulates the games for A and uses

the distinguishing advantage of A to output a bit

in NM-CPA game. Assume that β

∗

is the answer

of the NM-CPA challenger to the adversary B on

a query {v

}. The adversary B sets β

∗

on the

bulletin board view of A as a result of the oracle

OVoteLR(id,v

). The adversary B computes the

tally result by querying the decryption oracle in the

NM-CPA game for all ballots on the bulletin board

except for β

∗

. The result s is computed by the out-

put of decryption oracle and vote v

for the ballot β

∗

Note that we use the decryption oracle of the NM-

CPA challenger to decrypt the ballots before comput-

ing the result s. The proof Π is simulated by sim-

proof on the ballots on the visible bulletin board. The

adversary B exactly simulates the G

, if β

∗

be an en-

cryption of v

and G

otherwise. As a result, the ad-

vantage of the adversary A in distinguishing the G

from G

is equal to the advantage of adversary B in

the NM-CPA game. We proceed to show that G

and

are indistinguishable. Again, a reduction to the

NM-CPA security game of the ElGamal encryption

scheme proves that the advantage of the adversary A

in distinguishing between two games G

and G

are

negligible. This reduction is simulated by the adver-

sary B as before by setting β

∗

on the visible bulletin

board. β

∗

is an answer of the NM-CPA challenger to

the adversary B on a query {v

,v}.

In the games G

, G

, and G

, we step by step

replace all the ballots that depend on the bit b = 0 with

the corresponding ballots depend on BB

. In par-

ticular, we prove that the advantage of the adversary

A through the transition from Exp

r f ,0

A,ES

to Exp

r f ,1

A,ES

negligible in security parameter λ.

5.3 Vote Privacy

We analyze the privacy of our scheme with the vote

privacy game deﬁned by Exp

vpriv,b

A,A

′

,ES

, between the

challenger and the adversary A. We extend the ballot

privacy deﬁnition for a permutation of honest votes

(Benaloh and Yung, 1986; Bernhard et al., 2015) with

several oracles, and model a game such that the adver-

sary should not be able to distinguish if the identity of

two voters with the votes v

and v

are swapped.

Our vote privacy game tracks two bulletin boards

and BB

(see Fig. 3). Only one bulletin board

is accessible to the adversary by calling the oracle

OBoard(). The adversary can make calls to the oracle

OVote(id,v) to let a voter with id to cast a vote v on

and BB

; and to the oracle OCast(β

) to cast

ballots β

generated by the adversary on BB

and

. To model the voter indistinguishability, we pro-

vide the adversary with the oracle OVoterIND(v

The adversary goal is to distinguish between two bul-

letin boards with the following change: the oracle

OVoterIND(v

) lets a voter id

to cast a vote for

, and a voter id

to cast a vote for v

on BB

. The

OVoterIND appends the ballot β

and β

which de-

note id

with a vote for v

, and id

with a vote for

on BB

respectively. More precisely, the identi-

ties of the ballots are swapped on BB

in comparison

with BB

. We use the notation OVoterIND(v

) to

let A make queries multiple times on different vote

options for two honest voters id

and id

. The adver-

sary can query the oracle OTally() to see the result

of the election. For the everlasting privacy property,

we deﬁne a computationally unbounded adversary A

′

receiving the view of the PPT adversary A except for

some auxiliary information such as network commu-

nication, timestamps, etc. Therefore, A

′

, who has ac-

cess to view

attempts to guess a bit b.

Deﬁnition 3. An election scheme ES achieves vote

privacy if there exists an algorithm sim-proof such

that for all adversary A

′

and adversary A, where A

is PPT adversary,



Exp

vpriv,0

A,A

′

,ES

(λ,L, V , R) = 1

−

Exp

vpriv,1

A,A

′

,ES

(λ,L, V , R) = 1



is negligible in λ.

Theorem 3. Our scheme provides vote privacy un-

der the statistical hiding property of the hash-based

commitment scheme in the random oracle model.

Proof. In this proof, we will step by step replace the

view of the adversary in the game with b = 0 to the

game b = 1. We show the advantage of the adversary

(A,A

′

) is negligible in distinguishing these games.

Game G

is as Exp

vpriv,0

A,A

′

,ES

(λ,L, V , R). This exper-

iment is equal to the voting situation, where the voter

submits β

and the voter id

submits β

. The

oracle OVote allows A to let an honest voter id vote

for a candidate v, while OCast allows voting on be-

half of the corrupted voters and adds null ballots. In

this game, A has access to BB

by calling the ora-

cle OBoard, and the result (s,Π) is returned by oracle

OTally() on BB

. The everlasting adversary A

′

takes

the state of A and the oracle output as an input.

Game G

is equal to G

apart from the following

change: the zero-knowledge proofs are simulated by

the challenger who has access to the trapdoor and pro-

gramming random oracle with the simulation set up.

Receipt-Free Electronic Voting from zk-SNARK

263

Exp

vpriv,b

A,A

′

,ES

(λ,L, V , R) :

(P P , sk

,sk

) ←Setup(λ,R)

(id

,id

) ← A(PP , pk

,L, V )

b ← A

(P P , L, V )

b ← A

′

(P P , L, V , (id

,id

),view

)

output b

′

OVote(id,v) :

if v /∈ V or id /∈ L \ {id

,id

} then return ⊥

end if

β ← vote(id,sk

, pk

,v)

append(β,BB

)

append(β,BB

)

OVoterIND(v

) :

if v

/∈ V or v

/∈ V then return ⊥

end if

← vote(id

,sk

, pk

)

← vote(id

,sk

, pk

)

← vote(id

,sk

, pk

)

← vote(id

,sk

, pk

)

append((β

,β

),BB

)

append((β

,β

),BB

)

OCast(β

) :

if valid(BB

,β

) = 0 then return ⊥

end if

append(BB

,β

)

append(BB

,β

)

OBoard() :

return BB

OTally() :

(s,Π

) ← tally(BB

,sk

)

← sim-proof(BB

,s)

return (s,Π

)

Figure 3: Vote privacy Exp

vpriv,b

A,A

′

,ES

(λ,L,V ,R).

and G

are indistinguishable by the simulatability

of the zero-knowledge proof system.

Let G

be the game obtained from game G

with the following change on BB

: the output of

the oracle OVoterIND is replaced as follows: the

ballot β

= (e

,cr

,π

) on BB

is replaced with

the ballot (e

,cr

,π

). Similarly, the ballot β

,cr

,π

) is replaced by the ballot (e

,cr

,π

As the zero-knowledge proofs are simulated by the

challenger, this change is equal to the replacement

of the voting pseudonym in β

= (e

,cr

,π

) and

= (e

,cr

,π

) on BB

. More precisely, the vot-

ing pseudonyms cr

and cr

are swapped, and the re-

lated proofs are simulated by the challenger. Other

ballots on BB

, which are either the output of OVote

or OCast remain the same as in G

. The result s is

equal to the result of the game G

and the proof Π

is simulated by the sim-proof on the current bulletin

board, namely, BB

. At the end of this game, the

adversary’s view of the content of the bulletin board

is corresponding to Exp

vpriv,1

A,A

′

,ES

(λ,L, V , R). This ex-

periment is equivalent to the game on BB

, where the

voter id

with pseudonym cr

submits vote v

and the

voter id

submits v

. In this game, A has direct access

to all oracles and channels while A

′

takes all informa-

tion of the view of A excluding the communication.

We prove that the adversarial advantage in distin-

guishing between the output of G

and G

is negligi-

ble. Let B be an adversary against the hiding property

of the commitment scheme. B simulates the games

and G

for A and use the distinguishing advan-

tage of A to output a bit in the hiding game. As-

sume that {c

1−b

} be the answer of the hiding chal-

lenger to B on a query {cr

,cr

}. B adds c

and c

1−b

to the list L, and simulates the output of the oracle

OVoterIND(v

) as follows: β

= (e

,cr

,π

) and

1−b

= (e

,cr

,π

1−b

) on the bulletin board view of

A as a result of the oracle OVoterIND(v

). B com-

putes the tally result of all ballots on the bulletin board

and returns the result. Note that B can decrypt the bal-

lots on the bulletin board. B exactly simulates G

, if

b = 0 in the hiding game related to the commitments

1−b

}, and G

if b = 1. Hence, the advantage of

A in distinguishing G

from G

is equal to the advan-

tage of B in the statistically hiding game. In particu-

lar, we prove that the advantage of the PPT adversary

A and the computationally unbounded adversary A

′

who has access to the state of A through the games

that transfers from Exp

vpriv,0

A,A

′

,ES

to Exp

vpriv,1

A,A

′

,ES

, is negli-

gible in the security parameter λ.

5.4 Veriﬁability

A veriﬁable voting scheme guarantees that the result

of the election is computed on the votes of the fol-

lowing groups: 1) the group of honest voters, who

have veriﬁed their ballots on the bulletin board after

casting their ballots; 2) the group of corrupted vot-

ers, who are fully controlled by the adversary; 3) the

SECRYPT 2023 - 20th International Conference on Security and Cryptography

264

group of honest voters, who did not check their ballots

on the bulletin board. For the last group, the adversary

should not be able to modify the corresponding votes,

but they can still be dropped or replaced by earlier

ballots, if these exist.

In the tally phase, ballots with the same

voting pseudonym are grouped. Let BB =

,. ..,B

}, where B

denotes the bal-

lots with the same pseudonym cr

. Given a voting

pseudonym cr

, the ﬁnal ballot is the result of multi-

plying all ballots in B

. The proof Π ensures that the

result r is computed from {B

,. ..,B

}. In-

deed, the soundness of the proof Π prevents the ma-

nipulation of an adversary such as removing, adding,

or modifying a ballot during the tally process. Let

|C| be the number of corrupted voters. We show that

the adversary cannot corrupt more voters than |C|.

Each ballot on BB is either a ballot generated by the

knowledge of the secret pseudonym of a voter or it

is a null ballot generated by the bulletin board. The

proof π on a ballot veriﬁes that the ballot is gener-

ated by the secret knowledge of the credential or the

knowledge of the null ballot. The computationally

binding property of the commitment scheme protects

against the adversary who wants to generate a valid

ballot with different (cr

′

) such that H(cr

′

) = c

and (cr

′

) ̸= (cr,t). In addition, the soundness prop-

erty of SNARKs and the trusted setup protect against

the forgery of a ballot proof by an adversary. Hence,

the adversary cannot cast a new non-null ballot with-

out knowing the secret credential information or the

zero-knowledge trapdoor. The adversary cannot mod-

ify the vote of an honest voter by revoting. So, non-

null ballots on the BB that does not belong to hon-

est voters must belong to corrupted voters. Thus, the

bulletin board contains the ballots of the three groups

mentioned above.

6 CONCLUSION

In this paper we proposed a new receipt-free e-voting

scheme that also provides everlasting guarantees for

participation privacy and vote privacy. Our scheme

relies on hash-based commitments and zk-SNARK

proofs to achieve everlasting guarantees while not

compromising veriﬁability. In our scheme, the voter

pseudonyms are not concealed. This may help to

address a robustness issue (Haines et al., 2023) in

previous receipt-free voting schemes with everlasting

properties and minimal trust assumptions. For exam-

ple, in Locher and Haenni (Locher and Haenni, 2016)

a voter can submit an arbitrary number of ballots

causing the bulletin board to be ﬂooded with them.

Such an attack cannot be avoided since the creden-

tials are encrypted. If a voter casts a large number

of ballots, the tallying phase can be costly. In our

scheme, such an attack would be noticeable by the

bulletin board (and anyone else looking at it), which

can eventually refuse to add ballots coming from the

same pseudonym. We can further limit the generation

of null ballots to a (distributed) party with a known

public key. In this case, the party casting a ballot

should prove that they know the secret information

of the public key and the null ballot. Therefore, ex-

tending our zero-knowledge proof for null ballots can

fully prevent the bulletin board from getting ﬂooded

with null ballots.

We provide mathematical proofs that our scheme

meets the privacy properties with minimal trust as-

sumptions. For most properties, the sole assump-

tion is the existence of an anonymous channel be-

tween the voter and the bulletin board. For veriﬁabil-

ity, it is worth noting that zk-SNARK requires a one-

time trusted setup of public parameters. However,

such a requirement can be removed by replacing zk-

SNARK with zk-STARK (Ben-Sasson et al., 2018) at

the cost of less efﬁcient proofs. Privacy and integrity

are dependent on the security of the commitment

scheme and ZK proof, while encryption is neces-

sary for other properties such as fairness and receipt-

freeness. Therefore, we note that hash-based commit-

ment schemes that possess post-quantum secure bind-

ing properties, in conjunction with zk-STARK, can be

used to build post-quantum secure e-voting systems

with everlasting privacy.

ACKNOWLEDGEMENTS

This work is supported by the Villum Foundation,

within the project “Enabling User Accountable Mech-

anisms in Decision Systems”.

REFERENCES

Adida, B. (2008). Helios: Web-based open-audit voting. In

USENIX.

Ben-Sasson, E., Bentov, I., Horesh, Y., and Riabzev, M.

(2018). Scalable, transparent, and post-quantum

secure computational integrity. Cryptology ePrint

Archive.

Benaloh, J. and Tuinstra, D. (1994). Receipt-free secret-

ballot elections. In STOC.

Benaloh, J. C. and Yung, M. (1986). Distributing the power

of a government to enhance the privacy of voters. In

PODC.

Receipt-Free Electronic Voting from zk-SNARK

265

Bernhard, D., Cortier, V., Galindo, D., Pereira, O., and

Warinschi, B. (2015). Sok: A comprehensive anal-

ysis of game-based ballot privacy deﬁnitions. In IEEE

Symposium on Security and Privacy.

Bernhard, D., Kulyk, O., and Volkamer, M. (2017). Security

proofs for participation privacy, receipt-freeness and

ballot privacy for the Helios voting scheme. In ARES.

Bohli, J.-M., M

uller-Quade, J., and R

ohrich, S. (2007).

Bingo voting: Secure and coercion-free voting using

a trusted random number generator. In E-VOTE ID.

Brandt, F. (2005). Efﬁcient cryptographic protocol design

based on distributed el gamal encryption. In Int. Conf.

on Information Security and Cryptology.

Buchmann, J., Demirel, D., and Graaf, J. v. d. (2013). To-

wards a publicly-veriﬁable mix-net providing ever-

lasting privacy. In Financial Cryptography and Data

Security.

Camenisch, J. and Stadler, M. (1997). Efﬁcient group signa-

ture schemes for large groups. In Annual International

Cryptology Conference, pages 410–424. Springer.

Chaidos, P., Cortier, V., Fuchsbauer, G., and Galindo, D.

(2016). Beleniosrf: A non-interactive receipt-free

electronic voting scheme. In CCS.

Chaum, D. and Pedersen, T. P. (1992). Wallet databases

with observers. In Annual international cryptology

conference, pages 89–105. Springer.

Demirel, D., Henning, M., Graaf, J. v. d., Ryan, P. Y., and

Buchmann, J. (2013). Pr

a voter providing everlast-

ing privacy. In E-VOTE ID.

Demirel, D., Van De Graaf, J., and dos Santos Ara

ujo, R. S.

(2012). Improving helios with everlasting privacy to-

wards the public. Evt/wote.

Fiat, A. and Shamir, A. (1986). How to prove your-

self: Practical solutions to identiﬁcation and signature

problems. In Conference on the theory and appli-

cation of cryptographic techniques, pages 186–194.

Springer.

Haines, T., M

uller, J., Mosaheb, R., and Pryvalov, I.

(2023). Sok: Secure e-voting with everlasting privacy.

PoPETs.

Hirt, M. and Sako, K. (2000). Efﬁcient receipt-free voting

based on homomorphic encryption. In Int. Conf. on

the Theory and Applications of Cryptographic Tech-

niques.

Juels, A., Catalano, D., and Jakobsson, M. (2005).

Coercion-resistant electronic elections. In Towards

Trustworthy Elections.

Katz, J. and Lindell, Y. (2007). Private key encryption and

pseudorandomness. Introduction to Modern Cryptog-

raphy, Chapman & Hall/CRC Cryptography and Net-

work Security, pages 47–109.

Kulyk, O., Teague, V., and Volkamer, M. (2015). Extending

helios towards private eligibility veriﬁability. In E-

VOTE ID.

Locher, P. and Haenni, R. (2015). Veriﬁable internet elec-

tions with everlasting privacy and minimal trust. In

E-VOTE ID.

Locher, P. and Haenni, R. (2016). Receipt-free remote elec-

tronic elections with everlasting privacy. Annals of

Telecommunications.

Moran, T. and Naor, M. (2006). Receipt-free universally-

veriﬁable voting with everlasting privacy. In Annual

International Cryptology Conference.

Okamoto, T. (1997). Receipt-free electronic voting schemes

for large scale elections. In Workshop on Security Pro-

tocols.

Ryan, P. Y., Bismark, D., Heather, J. A., Schneider, S. A.,

and Xia, Z. (2009). The pr

a voter veriﬁable election

system. IEEE TIFS.

Ryan, P. Y., Rønne, P. B., and Iovino, V. (2016). Selene:

Voting with transparent veriﬁability and coercion-

mitigation. In Financial Cryptography and Data Se-

curity.

Sako, K. and Kilian, J. (1995). Receipt-free mix-type voting

scheme. In International Conference on the Theory

and Applications of Cryptographic Techniques.

Schnorr, C.-P. (1991). Efﬁcient signature generation by

smart cards. Journal of cryptology, 4(3):161–174.

SECRYPT 2023 - 20th International Conference on Security and Cryptography

266