Secure Remote Voting Using Paper Ballots

Internet voting will probably be one of the most significant achievements of the future information society. It will have an enormous impact on the election process making it fast, reliable and inexpensive. Nonetheless, so far remote voting is considered to be very difficult, as one has to take into account susceptibility of the voter’s PC to various cyber-attacks. As a result, most the research effort is put into developing protocols and machines for poll-site electronic voting. Although these solutions yield promising results, they cannot be directly adopted to Internet voting because of secure platform problem. However, the cryptographic components they utilize may be very useful. This paper presents a scheme based on combination of mixnets and homomorphic encryption borrowed from robust poll-site voting, along with techniques recommended for remote voting – code sheets and test ballots. The protocol tries to minimize the trust put in voter’s PC by making the voter responsible for manual encryption of his vote. To achieve this, the voter obtains a paper ballot that allows him to scramble the vote by performing simple operations (lookup in a table). Creation of paper ballots, as well as decryption of votes, is performed by a group of cooperating trusted servers. As a result, the scheme is characterized by strong asymmetry – all computations are carried out on the server side. In consequence it does not require any additional hardware on the voter’s side, and offers distributed trust, receipt-freeness and verifiability.

💡 Research Summary

The paper proposes a novel remote‑voting protocol that eliminates the need to trust the voter’s personal computer with any cryptographic computation. Instead, each voter receives a paper ballot that contains a simple lookup table allowing the voter to “manually encrypt” his or her choice by adding a secret shift value (sh) modulo the number of candidates (c). The shift value is generated by a set of cooperating servers and is embedded in the ballot through a series of partially‑decrypting onions that travel through a mix‑net.

The protocol proceeds as follows. After a conventional registration process (similar to e‑banking), the voter obtains a voting kit containing authentication credentials. A few months before the election the voter visits a local authority to collect two paper ballots. One ballot is selected for verification and then destroyed; the other is used for casting the vote. The ballot presents a table that maps each candidate number v to an encrypted value v + sh (mod c). The voter reads the table, writes down the resulting number, and submits it via a secure web session to Election Committee 1 (EC1). EC1 publishes the voter’s identifier together with the encrypted vote on a public bulletin board (BB). The voter can verify that his or her entry appears unchanged.

All encrypted votes are then processed by a distributed set of authorities A₁, A₃,…,A_λ. Each authority holds an ElGamal key pair (x_i, y_i) and participates in a partially‑decrypting mix‑net. The mix‑net performs two functions: (1) it shuffles the ciphertexts using secret permutations π_i, and (2) it adds the secret shift values l_{i,j} (derived from sh) homomorphically. The mix‑net uses the functions ho_k and ht_k,l, which combine ElGamal encryption with a homomorphic addition operation, allowing the cumulative shift to be applied without revealing individual contributions. Randomized Partial Checking (RPC) is employed: each server commits to its permutation and to the l‑vectors, then reveals a randomly selected half of its input‑output links, ensuring that no adversary can replace or tamper with any ballot without being detected.

After the final server completes the partial decryption, the accumulated shift is removed, revealing the original candidate number for each vote. The results are then published. Because the voter never sees any verification data that could serve as a receipt, the scheme achieves receipt‑freeness. Individual verifiability is provided by the BB entry, while global verifiability follows from the publicly auditable mix‑net and homomorphic tally.

Key contributions include:

• A manual encryption step that requires only a lookup on paper, removing any cryptographic burden from the voter’s device.
• Integration of mix‑nets with homomorphic ElGamal to support distributed addition of the secret shift, enabling the server‑side de‑scrambling of votes.
• Use of RPC to guarantee robustness of the mix‑net without requiring trusted hardware on the client side.
• A trust‑distribution model where ballot generation, shift generation, shuffling, and decryption are each performed by independent authorities, limiting the power of any single entity.

The authors acknowledge practical challenges such as secure printing, distribution, and destruction of paper ballots; scalability of the mix‑net for large electorates; and the need for rigorous auditing of the server authorities. Nonetheless, the protocol demonstrates that a combination of well‑studied cryptographic primitives (mix‑nets, homomorphic encryption) with simple paper‑based operations can yield a remote voting system that is fast, inexpensive, receipt‑free, and verifiable without requiring any special hardware on the voter’s side.