pith. sign in

arxiv: 2605.19312 · v1 · pith:GRZEEL6Cnew · submitted 2026-05-19 · 💻 cs.CR

MultiBallot: Verifiable and privacy-preserving E-Collecting in the Swiss setting

Florian Moser , L\'eo Louistisserand This is my paper

Pith reviewed 2026-05-20 05:11 UTC · model grok-4.3

classification 💻 cs.CR
keywords e-collectingelectronic signaturesprivacyverifiabilitySwitzerlanddirect democracysecure protocol
0
0 comments X

The pith

A protocol lets Swiss citizens sign policy initiatives electronically while keeping who participated private and letting anyone verify the count.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The authors first adapt the established Swiss e-voting trust model to the distinct requirements of signature collection for popular initiatives and referendums. They then present a concrete protocol that delivers both end-to-end verifiability and participation privacy under those realistic assumptions. The privacy property holds without an anonymous channel because, at any moment, many different collections are running in parallel and each voter’s action is indistinguishable from actions in the other collections. If the protocol works as claimed, citizens could move signature drives online without weakening the legal force of the resulting petitions or exposing who supported which initiative.

Core claim

We derive a realistic e-collecting setting from the Swiss e-voting model and construct a protocol that simultaneously achieves verifiability and privacy, with participation privacy obtained from the natural presence of many concurrent collections rather than from an anonymous channel.

What carries the argument

MultiBallot, the protocol that combines ballot casting, tallying, and verification steps adapted from e-voting while using concurrent active collections to mask individual participation.

If this is right

  • Signature collection drives could be conducted entirely online while remaining legally binding under Swiss rules.
  • Voters would not need special anonymous-communication tools to protect their participation.
  • Anyone could check that all submitted signatures were counted correctly and that no extra signatures were added.
  • The same infrastructure used for e-voting pilots could be reused for e-collecting with modest changes.
  • Trust assumptions stay limited to the same parties already trusted in Swiss e-voting deployments.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same parallel-collection trick could be tried in other countries that run multiple simultaneous petitions or ballot measures.
  • If real-world usage shows that collections rarely overlap enough, the protocol would need an additional anonymity layer after all.
  • The design might also support other civic actions such as public consultations that require both privacy and auditability.
  • A small-scale pilot with live overlapping initiatives would give the clearest test of whether the privacy argument holds in practice.

Load-bearing premise

That the Swiss e-collecting process can be modeled directly on the e-voting trust assumptions and that the mere existence of many parallel collections at any time is enough to hide which collection any given voter joined.

What would settle it

A concrete attack that, given only the public data from several overlapping collections, links a particular signature to a specific voter with non-negligible probability.

Figures

Figures reproduced from arXiv: 2605.19312 by Florian Moser, L\'eo Louistisserand.

Figure 1
Figure 1. Figure 1: Swiss collections over the years [27]. At any point in time, at least 5 initiatives have been in their active collection phase. In academia, the security of e-collecting has not received any attention so far. Further, actual deployed e-collection systems seem to be lagging behind what is considered state-of-the-art for voting systems. The e-collecting system for the European Citizens Initiative (ECI) needs… view at source ↗
Figure 2
Figure 2. Figure 2: The ballot. For each active collection C1, C2 and C3, there is a dedicated ciphertext. To participate, the corresponding ciphertext is replaced by an encryption of 1. All other ciphertext are re-encrypted. The ballot consists of a ciphertext for each active collection. To sign one or more new collections, the Participation Device encrypts 1 for these specific collec￾tions, and re-encrypts the ciphertext fo… view at source ↗
Figure 3
Figure 3. Figure 3: The Setup. Audit Device and Talliers register their corresponding public key, and the Electoral Roll defines the whitelist of eligible voters. Then, the initial ballot is created as an encryption of 0. The public key of the Audit Device is reused over collections. 4 To authenticate the messages of the voter, for example an electronic id may be used [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The Participation. For every collection C, the Participation Device either en￾crypts 1 or re-encrypts the previous ciphertext. It creates a zero-knowledge proof that the ballot is well-formed and then sends the new entry to the Bulletin Board. To per￾form the individual verification, the Audit Device decrypts the ciphertext and shows the plaintext s to the Voter [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: The impact of rotating the voter encryption key on individual verification. Participations created after rotating the key can be decrypted. Otherwise, the last ciphertext from before the key rotation can be decrypted using the previous secret key [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The Tally. For every collection C, Talliers aggregate the ciphertext from the respective last entry of the ballots. Then, the aggregated ciphertext is decrypted. As the ballots are attributed to the voters, groups of ballots may be formed and decrypted separately, e.g., for statistical purposes in age groups or per elec￾toral roll. Further, instead of just tallying at the end of the collection period, the … view at source ↗
Figure 7
Figure 7. Figure 7: Hybrid participation over another channel HC. When the HC creates a partic￾ipation for the Voter, they send corresponding evidence to the Talliers. If the evidence indicates the Voter has participated over HC, the Talliers verify that the last (tallied) ciphertext indeed encrypts 1. Otherwise, the Talliers verify that HC did not stuff the participation. To ease presentation, this Figure simplifies the audi… view at source ↗
Figure 8
Figure 8. Figure 8: Verifiability claims for MultiBallot. We list the agents that have to be honest for each property to hold (PD: participation device, AD: audit device, HC: hybrid channel, ER: electoral roll). For universal verifiability, an honest audit device AD would discover ballot stuffing by HC or PD. Further, the Talliers would discover a misbehaving HC, and the ER’s actions are public, and can therefore also be audi… view at source ↗
Figure 9
Figure 9. Figure 9: Privacy claims for MultiBallot. We list the agents that have to be honest for each property to hold (PD: participation device, AD: audit device, HC: hybrid channel). We denote all talliers here explicitly, as for the audit each individual tallier will learn the evidence e of HC, and therefore could break the privacy of the impacted voters. executed. To ensure indeed all ballots reach the tally5 , we must a… view at source ↗
read the original abstract

As part of the political process, citizens may participate in signature collections to influence policy changes. In Switzerland, this even results in legally binding acts, similar to an election system. In this work, we first derive a realistic setting for e-collecting in Switzerland, based on the setting established for e-voting. Then, we propose a secure protocol in this setting, achieving both privacy and verifiability under realistic trust assumptions. Notably, participation privacy is guaranteed without assuming an anonymous channel, by considering the fact that at any given point in time, many collections are active in parallel.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The manuscript first derives a realistic setting for e-collecting in Switzerland from the established e-voting setting. It then proposes the MultiBallot protocol, which is claimed to achieve both verifiability and privacy under realistic trust assumptions. A central feature is that participation privacy is guaranteed without an anonymous channel by exploiting the fact that many collections are active in parallel at any given time.

Significance. If the security claims hold, the work could provide a context-specific solution for Swiss e-collecting that maintains both verifiability and privacy without requiring anonymous channels, potentially supporting broader adoption of digital tools in signature collection processes.

major comments (1)
  1. [Security arguments / MultiBallot construction] The participation-privacy claim (abstract and security arguments) rests on the informal assertion that parallel active collections suffice to hide which collection a signer participates in. No formal privacy definition (e.g., an indistinguishability game for participation) is supplied, no minimum number of concurrent collections is quantified, and no analysis of side channels (differing collection sizes, public supporter lists, or timing metadata) is given; this is load-bearing for the central claim that privacy holds without an anonymous channel.
minor comments (1)
  1. [Setting derivation] The derivation of the e-collecting setting from e-voting would be strengthened by explicit citations to the specific e-voting works or models being adapted.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive and detailed review. The major comment on the participation-privacy arguments is addressed below; we agree that formalization and additional analysis will strengthen the manuscript and will incorporate these changes in the revision.

read point-by-point responses

  1. Referee: The participation-privacy claim (abstract and security arguments) rests on the informal assertion that parallel active collections suffice to hide which collection a signer participates in. No formal privacy definition (e.g., an indistinguishability game for participation) is supplied, no minimum number of concurrent collections is quantified, and no analysis of side channels (differing collection sizes, public supporter lists, or timing metadata) is given; this is load-bearing for the central claim that privacy holds without an anonymous channel.

    Authors: We agree that the current presentation relies on an informal argument derived from the Swiss e-collecting setting. In the revised manuscript we will introduce a formal indistinguishability game for participation privacy that models an adversary attempting to determine a signer's chosen collection when multiple collections run concurrently. We will also quantify a minimum number of concurrent collections required, drawing on publicly available statistics about the typical number of active Swiss signature collections. Finally, we will add an explicit analysis of side channels, including collection-size variation, public supporter lists, and timing metadata, and show under which trust assumptions these channels do not violate the claimed privacy guarantees. These additions will appear in the security definitions and arguments section. revision: yes

Circularity Check

0 steps flagged

No significant circularity; privacy claim rests on external Swiss setting fact

full rationale

The paper first derives a realistic e-collecting setting from established e-voting assumptions and then proposes a protocol achieving privacy and verifiability. Participation privacy without an anonymous channel is justified by the external observation that many collections run in parallel at any time, presented as a fact about the Swiss context rather than a result derived from the protocol itself. No equations, self-definitions, fitted parameters renamed as predictions, or load-bearing self-citations appear in the provided text that would reduce the central claims to the inputs by construction. The derivation chain remains independent of the target privacy property.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The central claim rests on the derivation of a realistic e-collecting setting from e-voting practice and on the external observation that many collections run in parallel; no free parameters or invented physical entities are mentioned.

axioms (2)
  • domain assumption A realistic setting for e-collecting can be derived from the setting established for e-voting.
    Stated directly in the abstract as the starting point for the protocol design.
  • domain assumption At any given point in time many collections are active in parallel.
    Invoked to justify participation privacy without an anonymous channel.
invented entities (1)
  • MultiBallot protocol no independent evidence
    purpose: Achieve verifiable and privacy-preserving e-collecting under the derived Swiss setting
    The protocol is introduced by the authors as the main technical contribution.

pith-pipeline@v0.9.0 · 5621 in / 1391 out tokens · 38370 ms · 2026-05-20T05:11:34.436344+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

32 extracted references · 32 canonical work pages

  1. [1]

    Abraxas: VOTING E-Collecting docs, https://github.com/abraxas-labs/ voting-ecollecting-docs

    work page

  2. [2]

    Année Politique Suisse: Dossier: Missbräuchliche Unterschriftensammlung, https: //anneepolitique.swiss/dossiers/1607

    work page

  3. [3]

    Année Politique Suisse: Missbräuchliche Unterschriftensammlungen, https:// anneepolitique.swiss/prozesse/68174

    work page

  4. [4]

    In: International Conference on Principles of Security and Trust

    Arapinis, M., Cortier, V., Kremer, S., Ryan, M.: Practical everlasting privacy. In: International Conference on Principles of Security and Trust. Springer (2013)

    work page 2013

  5. [5]

    Juni 2021

    Bundesrat: Elektronische Unterschriftensammlung für eidgenössische Volks- begehren (E-Collecting): Bericht des Bundesrates in Erfüllung des Postulates 21.3607 Staatspolitische Kommission NR vom 27. Juni 2021. Bericht e-parl 21.11.2024 09:19, Bundesrat der Schweizerischen Eidgenossenschaft (Nov 2024)

    work page 2021

  6. [6]

    In: 2023 IEEE 36th Computer Security Foundations Symposium (CSF)

    Cheval, V., Cortier, V., Debant, A.: Election verifiability with proverif. In: 2023 IEEE 36th Computer Security Foundations Symposium (CSF). pp. 43–58. IEEE (2023)

    work page 2023

  7. [7]

    Proceedings on Privacy Enhancing Tech- nologies (2025)

    Cortier, V., Debant, A., Gaudry, P., Louistisserand, L.: Vote&check: Secure postal voting with reduced trust assumptions. Proceedings on Privacy Enhancing Tech- nologies (2025)

    work page 2025

  8. [8]

    In: European Symposium on Research in Computer Security

    Cortier, V., Galindo, D., Glondu, S., Izabachene, M.: Election verifiability for he- lios under weaker trust assumptions. In: European Symposium on Research in Computer Security. pp. 327–344. Springer (2014)

    work page 2014

  9. [9]

    In: 2016 IEEE Symposium on Security and Privacy (SP)

    Cortier, V., Galindo, D., Küsters, R., Mueller, J., Truderung, T.: Sok: Verifiability notions for e-voting protocols. In: 2016 IEEE Symposium on Security and Privacy (SP). IEEE (2016)

    work page 2016

  10. [10]

    In: Foundations of Security, Protocols, and Equational Rea- soning: Essays Dedicated to Catherine A

    Cortier, V., Gaudry, P., Glondu, S.: Belenios: a simple private and verifiable elec- tronic voting system. In: Foundations of Security, Protocols, and Equational Rea- soning: Essays Dedicated to Catherine A. Meadows. Springer (2019)

    work page 2019

  11. [11]

    IEEE Transactions on information theory (2003)

    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on information theory (2003)

    work page 2003

  12. [12]

    European Commission: Commission Decision (EU, Euratom) 2017/46 of 10 Jan- uary 2017 on the security of communication and information systems in the European Commission, https://eur-lex.europa.eu/legal-content/EN/ALL/?uri= CELEX:32017D0046

    work page 2017

  13. [13]

    europa.eu/eli/reg/2019/788/oj/eng

    European Union: Regulation (EU) 2019/788 of the European Parliament and of the Council of 17 April 2019 on the European citizens’ initiative, https://eur-lex. europa.eu/eli/reg/2019/788/oj/eng

    work page 2019

  14. [14]

    Federal Chancellery: E-Collecting, https://www.bk.admin.ch/bk/de/home/ politische-rechte/e-collecting.html

    work page

  15. [15]

    In: International Workshop on the Theory and Application of Crypto- graphic Techniques

    Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: International Workshop on the Theory and Application of Crypto- graphic Techniques. Springer (1992)

    work page 1992

  16. [16]

    In: Privacy Enhancing Technologies Symposium (PETS) (2023)

    Haines, T., Mueller, J., Mosaheb, R., Pryvalov, I.: Sok: Secure e-voting with ever- lasting privacy. In: Privacy Enhancing Technologies Symposium (PETS) (2023)

    work page 2023

  17. [17]

    In: 2014 6th inter- national conference on electronic voting: Verifying the vote (evote)

    Heiberg, S., Willemson, J.: Verifiable internet voting in estonia. In: 2014 6th inter- national conference on electronic voting: Verifying the vote (evote). IEEE (2014)

    work page 2014

  18. [18]

    Häfliger, M., Knellwolf, T.: Tausende Daten für Initiativen gefälscht: Unterschriften-Bschiss erschüttert die Schweiz, https://www.tagesanzeiger.ch/ 384143367276 16 Florian Moser and Léo Louistisserand

    work page

  19. [19]

    Gallen: Kanton startet Pilotversuch mit E-Collecting, https://www.sg

    Kanton St. Gallen: Kanton startet Pilotversuch mit E-Collecting, https://www.sg. ch/news/sgch_allgemein/2025/12/kanton-startet-pilotversuch-mit-e-collecting. html

    work page 2025

  20. [20]

    Journal of Computer Security (2012)

    Küsters,R.,Truderung,T.,Vogt,A.:Agame-baseddefinitionofcoercionresistance and its applications. Journal of Computer Security (2012)

    work page 2012

  21. [21]

    Annals of Telecommunications (2016)

    Locher, P., Haenni, R.: Receipt-free remote electronic elections with everlasting privacy. Annals of Telecommunications (2016)

    work page 2016

  22. [22]

    In: 29th USENIX security symposium (USENIX Security

    Lueks, W., Querejeta-Azurmendi, I., Troncoso, C.: VoteAgain: A scalable coercion- resistant voting system. In: 29th USENIX security symposium (USENIX Security

    work page

  23. [23]

    Marc Bühlmann and Hans-Peter Schaub: Staatspolitische Auswirkungen von E- Collecting: Studie im Auftrag der Bundeskanzlei. Tech. rep., Année Politique Su- isse, Institut für Politikwissenschaft, Universität Bern (Jan 2023), https://www. newsd.admin.ch/newsd/message/attachments/90666.pdf, study commissioned by the Swiss Federal Chancellery

    work page 2023

  24. [24]

    Moser, F., Müller, J., Cortier, V., Debant, A., Gaudry, P., Goetschmann, A., Küsters, R., Volkamer, M.: A study of mechanisms for end-to-end verifiable online voting (stuve). Tech. rep., Federal Office for Information Security, Germany (Oct 2024), https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ Studies/Cryptography/End-to-End-Verifiable_...

    work page 2024

  25. [25]

    Proceedings on Privacy Enhancing Technologies (2024)

    Müller, J., Pejó, B., Pryvalov, I.: Devos: deniable yet verifiable vote updating. Proceedings on Privacy Enhancing Technologies (2024)

    work page 2024

  26. [26]

    Optimity Advisors: Study on data requirements for the European Citi- zens’ Initiative, https://citizens-initiative.europa.eu/document/download/ ccfa34c7-2c17-4f81-ba49-58324bd8def3_en

    work page

  27. [27]

    https://www.bk

    Schweizerische Bundeskanzlei: Chronologie Volksinitiativen. https://www.bk. admin.ch/ch/d/pore/vi/vis_2_2_5_1.html

    work page

  28. [28]

    SchweizerischeBundeskanzlei:VerordnungderBKüberdieelektronischeStimmab- gabe (December 2013)

    work page 2013

  29. [29]

    In: Crampton, J., Jajodia, S., Mayes, K

    Smyth, B., Bernhard, D.: Ballot secrecy and ballot independence coincide. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) Computer Security – ESORICS 2013. Springer Berlin Heidelberg (2013)

    work page 2013

  30. [30]

    StaatskanzleiSt.Gallen:sGS125.1-GesetzüberReferendumundInitiative(RIG), https://www.gesetzessammlung.sg.ch/app/de/texts_of_law/125.1/versions/3837

    work page

  31. [31]

    Swiss Confederation: Federal Constitution of the Swiss Confederation, https:// www.fedlex.admin.ch/eli/cc/1999/404/en

    work page 1999

  32. [32]

    Version 1.5.2

    Swiss Post: Swiss Post Voting System: System Specification. Version 1.5.2. Tech. rep., Swiss Post (2025), https://gitlab.com/swisspost-evoting/e-voting/ e-voting-documentation/-/blob/342ea9e3339a70168ccfa3fef16eb096e811f9ef/ System/System_Specification.pdf

    work page 2025