pith. sign in

arxiv: 2604.18163 · v2 · submitted 2026-04-20 · 💻 cs.CR

Audit-or-Cast: Enforcing Honest Elections with Privacy-Preserving Public Verification

Aman Rojjha , Gaurang Tandon , Varul Srivastava , Kannan Srinathan This is my paper

Pith reviewed 2026-05-10 04:57 UTC · model grok-4.3

classification 💻 cs.CR
keywords electronic votingend-to-end verifiabilityreceipt-freenesstally-hidingcoercion resistancepublic auditabilityuntrusted clients
0
0 comments X

The pith

ACE voting protocol delivers end-to-end verifiability and receipt-freeness while hiding vote tallies without trusted clients.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces ACE, a cryptographic voting protocol designed to let the public verify that every vote was recorded and counted correctly while keeping the overall tally hidden and preventing voters from being coerced into proving how they voted. It addresses limitations in prior systems that either expose vote distributions publicly, require voters to trust their devices, or allow transferable receipts that enable coercion. By combining a tally-hiding aggregation step with an Audit-or-Cast mechanism, ACE lets each voter challenge the system to prove their ballot was handled correctly or cast it normally, all enforced through untrusted client software. The protocol uses tallier-side re-randomization of ballots to break any persistent link between a voter and their public record, achieving information-theoretic receipt-freeness as long as at least one tallier remains honest.

Core claim

We present ACE, a voting protocol that combines a publicly verifiable, tally-hiding aggregation mechanism with an Audit-or-Cast challenge that enforces cast-as-intended even under untrusted client assumptions. Tallier-side re-randomization eliminates persistent links between voters and public records, yielding information-theoretic receipt-freeness assuming at least one honest tallier. We formalize the security of ACE and show that it simultaneously achieves end-to-end verifiability, publicly tally-hiding results, and strong receipt-freeness without trusted clients.

What carries the argument

The Audit-or-Cast challenge, paired with tallier-side re-randomization of ballots, which lets voters force a proof of correct handling or cast their vote while breaking voter-to-ballot links.

If this is right

  • Public election audits can proceed without revealing the distribution of votes across candidates.
  • Voters gain assurance that their intended vote was cast correctly even if their personal device is compromised.
  • Coercion resistance holds information-theoretically rather than computationally, provided one tallier is honest.
  • Election systems can separate the roles of clients and talliers without creating transferable proofs of how a voter chose.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The design suggests that hybrid audit-cast mechanisms could reduce reliance on hardware tokens or trusted execution environments in future voting deployments.
  • If the re-randomization step scales efficiently, similar tally-hiding techniques might apply to other verifiable aggregation tasks such as private surveys or confidential committee decisions.
  • The formal security model could be extended to analyze resistance against adaptive adversaries who choose which tallier to corrupt after seeing the protocol transcript.

Load-bearing premise

The protocol requires at least one honest tallier to achieve information-theoretic receipt-freeness and assumes voters can reliably perform the Audit-or-Cast challenge to enforce cast-as-intended under untrusted clients.

What would settle it

An explicit attack showing that an adversary controlling all talliers except one can still link a specific voter to their ballot in the public record, or a concrete scenario where the Audit-or-Cast challenge fails to detect a malformed ballot under untrusted client software.

read the original abstract

Electronic voting systems must balance public verifiability with voter privacy and coercion resistance. Existing cryptographic protocols typically achieve end-to-end verifiability by revealing vote distributions, relying on trusted clients, or enabling transferable receipts - design choices that often compromise trust or privacy in real-world deployments. We present ACE, a voting protocol that reconciles public auditability with strong privacy guarantees. The protocol combines a publicly verifiable, tally-hiding aggregation mechanism with an Audit-or-Cast challenge that enforces cast-as-intended even under untrusted client assumptions. Tallier-side re-randomization eliminates persistent links between voters and public records, yielding information-theoretic receipt-freeness assuming at least one honest tallier. We formalize the security of ACE and show that it simultaneously achieves end-to-end verifiability, publicly tally-hiding results, and strong receipt-freeness without trusted clients.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 3 minor

Summary. The manuscript presents the ACE voting protocol, which combines a publicly verifiable tally-hiding aggregation mechanism with an Audit-or-Cast challenge to enforce cast-as-intended even with untrusted clients. Tallier-side re-randomization is used to achieve information-theoretic receipt-freeness under the assumption of at least one honest tallier. The paper formalizes the security model and claims to prove that ACE simultaneously achieves end-to-end verifiability, publicly tally-hiding results, and strong receipt-freeness without trusted clients.

Significance. If the formal security proofs hold under the stated assumptions, this would represent a meaningful contribution to cryptographic voting systems by resolving long-standing tensions between public verifiability and strong privacy/coercion resistance properties. The explicit handling of untrusted clients via Audit-or-Cast and the information-theoretic receipt-freeness guarantee (under minimal honesty assumptions) could inform future protocol designs.

minor comments (3)
  1. Abstract: The high-level description of the Audit-or-Cast mechanism and tallier re-randomization could be expanded with one or two sentences on the core cryptographic steps to improve accessibility for readers unfamiliar with the primitives.
  2. The security definitions section would benefit from an explicit comparison (perhaps in a table) to standard notions of receipt-freeness and coercion resistance from prior work such as Benaloh or Juels et al., to clarify any deviations.
  3. The manuscript should include a brief discussion of the concrete efficiency costs (e.g., communication or computation overhead) of the Audit-or-Cast challenge relative to non-challenge-based protocols.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for their positive assessment of the ACE protocol and for recommending minor revision. The referee's summary correctly captures the protocol's combination of publicly verifiable tally-hiding aggregation, the Audit-or-Cast challenge for untrusted clients, and information-theoretic receipt-freeness under a single honest tallier. As the report contains no specific major comments, we have no revisions to propose at this time.

Circularity Check

0 steps flagged

No significant circularity detected in protocol formalization

full rationale

The paper introduces the ACE protocol with its Audit-or-Cast mechanism and tallier-side re-randomization, then formalizes security to establish end-to-end verifiability, tally-hiding results, and receipt-freeness under the explicit assumption of at least one honest tallier. No equations, game hops, or reductions are exhibited in the provided abstract or description that reduce by construction to fitted inputs, self-definitions, or prior self-citations. The central claims derive directly from the new construction and stated assumptions rather than renaming known results or smuggling ansatzes via citation chains. This is a standard self-contained protocol design with independent formalization.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Based solely on the abstract, the central claim rests on standard cryptographic assumptions for the underlying primitives (such as those enabling tally-hiding and zero-knowledge proofs) and the design of the new Audit-or-Cast mechanism; no free parameters or invented entities are explicitly introduced.

axioms (1)
  • domain assumption Standard cryptographic assumptions underlying tally-hiding aggregation and receipt-freeness primitives
    Typical for voting protocols; not detailed in the abstract but required for the security claims.

pith-pipeline@v0.9.0 · 5457 in / 1358 out tokens · 65970 ms · 2026-05-10T04:57:54.339491+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

37 extracted references · 37 canonical work pages

  1. [1]

    SoK: Verifiability Notions for E-V oting Protocols,

    V . Cortier, D. Galindo, R. Kusters, J. Muller, and T. Truderung, “SoK: Verifiability Notions for E-V oting Protocols,” in2016 IEEE Symposium on Security and Privacy (SP). IEEE, 2016, pp. 779–798. [Online]. Available: http://ieeexplore.ieee.org/document/7546535/

    work page arXiv 2016

  2. [2]

    Verifiability, Privacy, and Coercion-Resistance: New Insights from a Case Study,

    R. K ¨usters, T. Truderung, and A. V ogt, “Verifiability, Privacy, and Coercion-Resistance: New Insights from a Case Study,” in2011 IEEE Symposium on Security and Privacy. IEEE, 2011, pp. 538–553. [Online]. Available: http://ieeexplore.ieee.org/document/5958051/

    work page arXiv 2011

  3. [3]

    Simple verifiable elections,

    J. Benaloh, “Simple verifiable elections,” inProceedings of the USENIX/Accurate Electronic Voting Technology Workshop 2006, ser. EVT’06. USA: USENIX Association, 2006, p. 5

    work page 2006

  4. [4]

    Receipt-free electronic voting schemes for large scale elections,

    T. Okamoto, “Receipt-free electronic voting schemes for large scale elections,” inSecurity Protocols, B. Christianson, B. Crispo, M. Lomas, and M. Roe, Eds., vol. 1361. Springer Berlin Heidelberg, 1998, pp. 25–35, security Protocols Workshop 1997

    work page 1998

  5. [5]

    End-to-End Verifiable Elections in the Standard Model,

    A. Kiayias, T. Zacharias, and B. Zhang, “End-to-End Verifiable Elections in the Standard Model,” inAdvances in Cryptology – EUROCRYPT 2015, E. Oswald and M. Fischlin, Eds., vol. 9057. Springer Berlin Heidelberg, 2015, pp. 468–498. [Online]. Available: http://link.springer.com/10.1007/978-3-662-46803-6 16

    work page doi:10.1007/978-3-662-46803-6 2015

  6. [6]

    Helios: Web-based open-audit voting,

    B. Adida, “Helios: Web-based open-audit voting,” inProceedings of the 17th USENIX Security Symposium. USA: USENIX Association, 2008, pp. 335–348

    work page 2008

  7. [7]

    Pr ˆet `a voter: A voter-verifiable voting system,

    P. Y . A. Ryan, D. Bismark, J. Heather, S. Schneider, and Z. Xia, “Pr ˆet `a voter: A voter-verifiable voting system,” inIEEE Transactions on Information Forensics and Security, vol. 4, no. 4, 2009, pp. 662–673

    work page 2009

  8. [8]

    Ordinos: A Verifiable Tally-Hiding E-V oting System,

    R. K ¨usters, J. Liedtke, J. M ¨uller, D. Rausch, and A. V ogt, “Ordinos: A Verifiable Tally-Hiding E-V oting System,” in2020 IEEE European Symposium on Security and Privacy (EuroS&P), 2020, pp. 216–235. [Online]. Available: https://ieeexplore.ieee.org/document/9230368/

    work page arXiv 2020

  9. [9]

    Relations between privacy, verifiability, accountability and coercion-resistance in voting protocols,

    A. Pankova and J. Willemson, “Relations between privacy, verifiability, accountability and coercion-resistance in voting protocols,” inApplied Cryptography and Network Security, G. Ateniese and D. Venturi, Eds. Springer International Publishing, 2022, vol. 13269, pp. 313–333, aCNS 2022; bibkey retains original 2023 mnemonic

    work page 2022

  10. [10]

    BBC News

    Georgia election: PM rejects vote-rigging claims as pres- ident calls mass rally. BBC News. [Online]. Available: https://www.bbc.co.uk/news/articles/c78ddj25kgvo

    work page

  11. [11]

    Seven eu countries call on venezuela to publish elec- toral rolls quickly,

    “Seven eu countries call on venezuela to publish elec- toral rolls quickly,” Reuters, Aug. 2024. [Online]. Avail- able: https://www.reuters.com/world/americas/seven-eu-countries-call- venezuela-publish-electoral-rolls-quickly-2024-08-04/

    work page 2024

  12. [12]

    Pakistan’s election day marred by violence and mobile phone service suspension,

    “Pakistan’s election day marred by violence and mobile phone service suspension,” Time, Feb. 2024. [Online]. Avail- able: https://time.com/6692687/pakistan-election-day-voting-violence- phone-service-disturbances/

    work page arXiv 2024

  13. [13]

    Pakistan blocks x for the sixth day as activists criticize the social media platform’s shutdown,

    “Pakistan blocks x for the sixth day as activists criticize the social media platform’s shutdown,” Associated Press, Feb. 2024. [Online]. Available: https://apnews.com/article/1f782388be6445de8e592ba1c71d045a

    work page 2024

  14. [14]

    India’s top court declines to order any change to vote-counting process

    “India’s top court declines to order any change to vote-counting process.” [Online]. Available: https://www.reuters.com/world/india/indias-top- court-declines-order-any-change-vote-counting-process-2024-04-26/

    work page 2024

  15. [15]

    Bangladesh election: Sheikh hasina wins fourth consecutive term amid boycott and violence,

    “Bangladesh election: Sheikh hasina wins fourth consecutive term amid boycott and violence,” BBC UK, Jan. 2024. [Online]. Available: https://www.bbc.co.uk/news/world-asia-67889387

    work page 2024

  16. [16]

    Accountability: Definition and Relationship to Verifiability,

    R. K ¨usters, T. Truderung, and A. V ogt, “Accountability: Definition and Relationship to Verifiability,” inProceedings of the 17th ACM Conference on Computer and Communications Security, ser. CCS ’10. Association for Computing Machinery, 2010, pp. 526–535

    work page 2010

  17. [17]

    Kryvos: Publicly Tally-Hiding Verifiable E- V oting,

    N. Huber, R. K ¨usters, T. Krips, J. Liedtke, J. M ¨uller, D. Rausch, P. Reisert, and A. V ogt, “Kryvos: Publicly Tally-Hiding Verifiable E- V oting,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2022, pp. 1443–1457

    work page 2022

  18. [18]

    Pretty good strategies for benaloh challenge,

    W. Jamroga, “Pretty good strategies for benaloh challenge,” inElectronic Voting, M. V olkamer, D. Duenas-Cid, P. Rønne, P. Y . A. Ryan, J. Budu- rushi, O. Kulyk, A. Rodriguez P ´erez, and I. Spycher-Krivonosova, Eds., vol. 14230. Springer Nature Switzerland, 2023, pp. 106–122

    work page 2023

  19. [19]

    DeV oS: Deniable Yet Verifiable V ote Updating,

    J. M ¨uller, B. Pej ´o, and I. Pryvalov, “DeV oS: Deniable Yet Verifiable V ote Updating,”Proceedings on Privacy Enhancing Technologies, vol. 2024, no. 1, pp. 357–378, 2024. [Online]. Available: https://petsymposium.org/popets/2024/popets-2024-0021.php

    work page 2024

  20. [20]

    Differential privacy,

    C. Dwork, “Differential privacy,” inAutomata, Languages and Program- ming (ICALP), 2006, pp. 1–12

    work page 2006

  21. [21]

    Smooth sensitivity and sampling in private data analysis,

    K. Nissim, S. Raskhodnikova, and A. Smith, “Smooth sensitivity and sampling in private data analysis,” inProceedings of the 39th Annual ACM Symposium on Theory of Computing (STOC), 2007, pp. 75–84

    work page 2007

  22. [22]

    10 Marek Cygan, Lukasz Jez, and Jirí Sgall

    P. Y . A. Ryan, P. B. Rønne, and V . Iovino, “Selene: V oting with Transparent Verifiability and Coercion-Mitigation,” inFinancial Cryptography and Data Security, J. Clark, S. Meiklejohn, P. Y . Ryan, D. Wallach, M. Brenner, and K. Rohloff, Eds., vol. 9604. Springer Berlin Heidelberg, 2016, pp. 176–192. [Online]. Available: http://link.springer.com/10.100...

    work page doi:10.1007/978-3-662-53357-4 2016

  23. [23]

    FASTEN: Fair and Secure Distributed V oting Using Smart Contracts,

    S. Damle, S. Gujar, and M. H. Moti, “FASTEN: Fair and Secure Distributed V oting Using Smart Contracts,” in2021 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), 2021, pp. 1–3

    work page 2021

  24. [24]

    Efficient batch zero-knowledge arguments for low degree polynomials,

    J. Bootle and J. Groth, “Efficient batch zero-knowledge arguments for low degree polynomials,” Cryptology ePrint Archive, Paper 2018/045,

    work page 2018

  25. [25]

    Available: https://eprint.iacr.org/2018/045

    [Online]. Available: https://eprint.iacr.org/2018/045

    work page 2018

  26. [26]

    Non-interactive and information-theoretic secure veri- fiable secret sharing,

    T. P. Pedersen, “Non-interactive and information-theoretic secure veri- fiable secret sharing,” inProceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology, ser. CRYPTO ’91. Berlin, Heidelberg: Springer-Verlag, 1991, pp. 129–140

    work page 1991

  27. [27]

    On the Security Properties of e-V oting Bulletin Boards,

    A. Kiayias, A. Kuldmaa, H. Lipmaa, J. Siim, and T. Zacharias, “On the Security Properties of e-V oting Bulletin Boards,” inSecurity and Cryptography for Networks, D. Catalano and R. De Prisco, Eds., vol. 11035. Springer International Publishing, 2018, pp. 505–523. [Online]. Available: https://link.springer.com/10.1007/978-3-319-98113-0 27

    work page doi:10.1007/978-3-319-98113-0 2018

  28. [28]

    Groth, ``On the size of pairing-based non-interactive arguments,'' in Advances in Cryptology---EUROCRYPT 2016, ser

    J. Groth, “On the size of pairing-based non-interactive arguments,” Cryptology ePrint Archive, Paper 2016/260, 2016, eUROCRYPT 2016, LNCS 9666, pp. 305–326, DOI: 10.1007/978-3-662-49896-5 11. [Online]. Available: https://eprint.iacr.org/2016/260

    work page doi:10.1007/978-3-662-49896-5 2016

  29. [29]

    How to explain zero-knowledge protocols to your children,

    J.-J. Quisquater, M. Quisquater, M. Quisquater, M. Quisquater, L. C. Guillou, M. A. Guillou, G. Guillou, A. Guillou, G. Guillou, S. Guillou, and T. A. Berson, “How to explain zero-knowledge protocols to your children,” inProceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology, ser. CRYPTO ’89. Berlin, Heidelberg: Spring...

    work page 1989

  30. [30]

    Ballot casting assurance via voter-initiated poll station auditing,

    J. Benaloh, “Ballot casting assurance via voter-initiated poll station auditing,” inProceedings of the USENIX/Accurate Electronic Voting Technology Workshop 2007, ser. EVT’07. USA: USENIX Association, 2007, p. 14

    work page 2007

  31. [31]

    Bulletproofs: Short proofs for confidential transactions and more,

    B. Bunz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell, “Bulletproofs: Short proofs for confidential transactions and more,” in2018 IEEE Symposium on Security and Privacy (SP). IEEE, 2018, pp. 315–334. [Online]. Available: https://ieeexplore.ieee.org/document/8418611/

    work page arXiv 2018

  32. [32]

    The Transport Layer Security (TLS) Protocol Version 1.3,

    E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.3,” RFC 8446, Internet Engineering Task Force, Aug. 2018. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc8446

    work page 2018

  33. [33]

    Adapting Helios for Provable Ballot Privacy,

    D. Bernhard, V . Cortier, O. Pereira, B. Smyth, and B. Warinschi, “Adapting Helios for Provable Ballot Privacy,” inComputer Security – ESORICS 2011, V . Atluri and C. Diaz, Eds., vol. 6879. Springer Berlin Heidelberg, 2011, pp. 335–354. [Online]. Available: http://link.springer.com/10.1007/978-3-642-23822-2 19

    work page doi:10.1007/978-3-642-23822-2 2011

  34. [34]

    Beleniosrf: A non-interactive receipt-free electronic voting scheme,

    P. Chaidos, V . Cortier, G. Fuchsbauer, and D. Galindo, “Beleniosrf: A non-interactive receipt-free electronic voting scheme,” inProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’16. New York, NY , USA: Association for Computing Machinery, 2016, pp. 1614–1625

    work page 2016

  35. [35]

    A critique of game-based definitions of receipt-freeness for voting,

    A. Fraser, E. A. Quaglia, and B. Smyth, “A critique of game-based definitions of receipt-freeness for voting,” inProvable Security: 13th International Conference, ProvSec 2019, vol. 11821. Cham: Springer International Publishing, 2019, pp. 189–205

    work page 2019

  36. [36]

    How efficient are replay attacks against vote privacy? a formal quantitative analysis,

    D. Mestel, J. M ¨uller, and P. Reisert, “How efficient are replay attacks against vote privacy? a formal quantitative analysis,” in2022 IEEE 35th Computer Security Foundations Symposium (CSF). IEEE, 2022, pp. 179–194

    work page 2022

  37. [37]

    Receipt-free electronic voting schemes for large scale elections,

    T. Okamoto, “Receipt-free electronic voting schemes for large scale elections,” inSecurity Protocols, B. Christianson, B. Crispo, M. Lomas, and M. Roe, Eds. Springer Berlin Heidelberg, 1998, vol. 1361, pp. 25–35, series Title: Lecture Notes in Computer Science. [Online]. Available: http://link.springer.com/10.1007/BFb0028157

    work page doi:10.1007/bfb0028157 1998