Enhanced Anonymous Credentials for E-Voting Systems

TL;DR

This work tackles everlasting ballot privacy in e-voting by augmenting anonymous voter credentials with perfectly hiding commitments that bind credentials to voters via a publicly posted opening $t_i$ and reference $ ho_i = Comm(vid_i, t_i)$. The scheme preserves unlinkability of published ballots while enabling essential consistency checks during casting and cast-as-intended auditing, addressing clash attacks and cross-voting. It relies on an honest registrar, an honest voting server during casting, and trusted voter clients and second devices; a computationally binding property of the commitment prevents multiple openings from mapping to different voters. A practical secret-delivery variant improves ergonomics by using a passcode-derived key to securely fetch the needed secrets, optionally with second-factor authentication, without undermining the core security guarantees. The approach offers a viable path to enforce everlasting privacy in real-world e-voting while maintaining eligibility and verifiability guarantees and reducing operational friction.

Abstract

A simple and practical method for achieving everlasting privacy in e-voting systems, without relying on advanced cryptographic techniques, is to use anonymous voter credentials. The simplicity of this approach may, however, create some challenges, when combined with other security features, such as cast-as-intended verifiability with second device and second-factor authentication. This paper considers a simple augmentation to the anonymous credential mechanism, using perfectly hiding commitments to link such credentials to the voter identities. This solution strengthens the binding between voters and their credentials while preserving everlasting privacy. It ensures that published ballots remain unlinkable to voter identities, yet enables necessary consistency checks during ballot casting and ballot auditing